CVE-2025-64512

CVSS v3.1

8.6

High

Vector

AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Pdfminer.six versions prior to 20251107

Description Pdfminer.six is a tool for extracting information from PDF documents. Prior to version 20251107, the software could execute arbitrary code from a malicious pickle file when processing a malicious PDF. The CMapDB. load data() function uses pickle.loads() to deserialize pickle files. A malicious PDF can specify an alternative directory and filename ending in .pickle.gz, allowing a malicious, zipped pickle file to contain code that automatically executes when the PDF is processed.

Recommendations Update to version 20251107.

Exploit

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

CVE-2025-64512

DLA-4374-1

DLA-4374-2

DSA-6062-1

GHSA-WF5F-4JWR-PPCP

OPENSUSE-SU-2025:15727-1

Affected Products

Debian

Pdfminer.Six

CVE-2025-64512

Weakness Enumeration

Related Identifiers

Affected Products

References · 29