Mtolley

**Name of the Vulnerable Software and Affected Versions** Pdfminer.six versions prior to 20251107 **Description** Pdfminer.six is a tool for extracting information from PDF documents. Prior to version 20251107, the software could execute arbitrary code from a malicious pickle file when processing a malicious PDF. The `CMapDB. load data()` function uses `pickle.loads()` to deserialize pickle files. A malicious PDF can specify an alternative directory and filename ending in `.pickle.gz`, allowing a malicious, zipped pickle file to contain code that automatically executes when the PDF is processed. **Recommendations** Update to version 20251107.