Artifex Ghostscript vulnerabilities

CVE-2025-59800 [MEDIUM] CWE-190 CVE-2025-59800: In Artifex Ghostscript through 10.05.1, ocr_begin_page in devices/gdevpdfocr.c has an integer overfl In Artifex Ghostscript through 10.05.1, ocr_begin_page in devices/gdevpdfocr.c has an integer overflow that leads to a heap-based buffer overflow in ocr_line8.

CVE-2025-59798 [MEDIUM] CWE-121 CVE-2025-59798: Artifex Ghostscript through 10.05.1 has a stack-based buffer overflow in pdf_write_cmap in devices/v Artifex Ghostscript through 10.05.1 has a stack-based buffer overflow in pdf_write_cmap in devices/vector/gdevpdtw.c.

CVE-2025-59799 [MEDIUM] CWE-121 CVE-2025-59799: Artifex Ghostscript through 10.05.1 has a stack-based buffer overflow in pdfmark_coerce_dest in devi Artifex Ghostscript through 10.05.1 has a stack-based buffer overflow in pdfmark_coerce_dest in devices/vector/gdevpdfm.c via a large size value.

CVE-2025-48708 [MEDIUM] CWE-212 CVE-2025-48708: gs_lib_ctx_stash_sanitized_arg in base/gslibctx.c in Artifex Ghostscript before 10.05.1 lacks argume gs_lib_ctx_stash_sanitized_arg in base/gslibctx.c in Artifex Ghostscript before 10.05.1 lacks argument sanitization for the # case. A created PDF document includes its password in cleartext.

CVE-2025-46646 [MEDIUM] CVE-2025-46646: In Artifex Ghostscript before 10.05.0, decode_utf8 in base/gp_utf8.c mishandles overlong UTF-8 encod In Artifex Ghostscript before 10.05.0, decode_utf8 in base/gp_utf8.c mishandles overlong UTF-8 encoding. NOTE: this issue exists because of an incomplete fix for CVE-2024-46954.

CVE-2025-27837 [CRITICAL] CWE-22 CVE-2025-27837: An issue was discovered in Artifex Ghostscript before 10.05.0. Access to arbitrary files can occur t An issue was discovered in Artifex Ghostscript before 10.05.0. Access to arbitrary files can occur through a truncated path with invalid UTF-8 characters, for base/gp_mswin.c and base/winrtsup.cpp.

CVE-2025-27831 [CRITICAL] CWE-120 CVE-2025-27831: An issue was discovered in Artifex Ghostscript before 10.05.0. The DOCXWRITE TXTWRITE device has a t An issue was discovered in Artifex Ghostscript before 10.05.0. The DOCXWRITE TXTWRITE device has a text buffer overflow via long characters to devices/vector/doc_common.c.

CVE-2025-27832 [CRITICAL] CWE-120 CVE-2025-27832: An issue was discovered in Artifex Ghostscript before 10.05.0. The NPDL device has a Compression buf An issue was discovered in Artifex Ghostscript before 10.05.0. The NPDL device has a Compression buffer overflow for contrib/japanese/gdevnpdl.c.

CVE-2025-27836 [CRITICAL] CWE-120 CVE-2025-27836: An issue was discovered in Artifex Ghostscript before 10.05.0. The BJ10V device has a Print buffer o An issue was discovered in Artifex Ghostscript before 10.05.0. The BJ10V device has a Print buffer overflow in contrib/japanese/gdev10v.c.

CVE-2025-27834 [HIGH] CWE-120 CVE-2025-27834: An issue was discovered in Artifex Ghostscript before 10.05.0. A buffer overflow occurs via an overs An issue was discovered in Artifex Ghostscript before 10.05.0. A buffer overflow occurs via an oversized Type 4 function in a PDF document to pdf/pdf_func.c.

CVE-2025-27830 [HIGH] CWE-120 CVE-2025-27830: An issue was discovered in Artifex Ghostscript before 10.05.0. A buffer overflow occurs during seria An issue was discovered in Artifex Ghostscript before 10.05.0. A buffer overflow occurs during serialization of DollarBlend in a font, for base/write_t1.c and psi/zfapi.c.

CVE-2025-27835 [HIGH] CWE-120 CVE-2025-27835: An issue was discovered in Artifex Ghostscript before 10.05.0. A buffer overflow occurs when convert An issue was discovered in Artifex Ghostscript before 10.05.0. A buffer overflow occurs when converting glyphs to Unicode in psi/zbfont.c.

CVE-2025-27833 [HIGH] CWE-120 CVE-2025-27833: An issue was discovered in Artifex Ghostscript before 10.05.0. A buffer overflow occurs for a long T An issue was discovered in Artifex Ghostscript before 10.05.0. A buffer overflow occurs for a long TTF font name to pdf/pdf_fmap.c.

CVE-2024-46952 [HIGH] CWE-120 CVE-2024-46952: An issue was discovered in pdf/pdf_xref.c in Artifex Ghostscript before 10.04.0. There is a buffer o An issue was discovered in pdf/pdf_xref.c in Artifex Ghostscript before 10.04.0. There is a buffer overflow during handling of a PDF XRef stream (related to W array values).

CVE-2024-46954 [HIGH] CWE-22 CVE-2024-46954: An issue was discovered in decode_utf8 in base/gp_utf8.c in Artifex Ghostscript before 10.04.0. Over An issue was discovered in decode_utf8 in base/gp_utf8.c in Artifex Ghostscript before 10.04.0. Overlong UTF-8 encoding leads to possible ../ directory traversal.

CVE-2024-46956 [HIGH] CWE-125 CVE-2024-46956: An issue was discovered in psi/zfile.c in Artifex Ghostscript before 10.04.0. Out-of-bounds data acc An issue was discovered in psi/zfile.c in Artifex Ghostscript before 10.04.0. Out-of-bounds data access in filenameforall can lead to arbitrary code execution.

CVE-2024-46953 [HIGH] CWE-190 CVE-2024-46953: An issue was discovered in base/gsdevice.c in Artifex Ghostscript before 10.04.0. An integer overflo An issue was discovered in base/gsdevice.c in Artifex Ghostscript before 10.04.0. An integer overflow when parsing the filename format string (for the output filename) results in path truncation, and possible path traversal and code execution.

CVE-2024-46951 [HIGH] CWE-824 CVE-2024-46951: An issue was discovered in psi/zcolor.c in Artifex Ghostscript before 10.04.0. An unchecked Implemen An issue was discovered in psi/zcolor.c in Artifex Ghostscript before 10.04.0. An unchecked Implementation pointer in Pattern color space could lead to arbitrary code execution.

CVE-2024-46955 [MEDIUM] CWE-125 CVE-2024-46955: An issue was discovered in psi/zcolor.c in Artifex Ghostscript before 10.04.0. There is an out-of-bo An issue was discovered in psi/zcolor.c in Artifex Ghostscript before 10.04.0. There is an out-of-bounds read when reading color in Indexed color space.

CVE-2024-29509 [HIGH] CWE-787 CVE-2024-29509: Artifex Ghostscript before 10.03.0 has a heap-based overflow when PDFPassword (e.g., for runpdf) has Artifex Ghostscript before 10.03.0 has a heap-based overflow when PDFPassword (e.g., for runpdf) has a \000 byte in the middle.