CVE-2025-27831 – A buffer overflow vulnerability in Artifex Ghos... (How to Fix)

Q: What is the severity of CVE-2025-27831?

CVE-2025-27831 has a CVSS score of 9.8 (CRITICAL). A buffer overflow vulnerability in Artifex Ghostscript's DOCXWRITE/TXTWRITE device allows attackers to execute arbitrary code or cause denial of service by processing specially crafted documents. This affects all systems running vulnerable Ghostscript versions that process untrusted documents. The high CVSS score indicates critical severity with network-accessible attack vectors.

📋 TL;DR

A buffer overflow vulnerability in Artifex Ghostscript's DOCXWRITE/TXTWRITE device allows attackers to execute arbitrary code or cause denial of service by processing specially crafted documents. This affects all systems running vulnerable Ghostscript versions that process untrusted documents. The high CVSS score indicates critical severity with network-accessible attack vectors.

💻 Affected Systems

Products:

Artifex Ghostscript

Versions: All versions before 10.05.0

Operating Systems: Linux, Windows, macOS, BSD

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when processing documents through DOCXWRITE or TXTWRITE devices. Many applications embed Ghostscript for PDF/PS processing.

📦 What is this software?

Ghostscript by Artifex

View all CVEs affecting Ghostscript →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with SYSTEM/root privileges leading to complete system compromise, data exfiltration, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Denial of service through application crashes, with potential for limited code execution depending on exploit sophistication and system protections.

🟢

If Mitigated

Application crash without code execution if modern exploit mitigations (ASLR, DEP) are effective, but service disruption still occurs.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires sending malicious documents to vulnerable systems. No public exploit code identified yet, but buffer overflow in common code path suggests weaponization is likely.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.05.0

Vendor Advisory: https://bugs.ghostscript.com/show_bug.cgi?id=708132

Restart Required: Yes

Instructions:

1. Download Ghostscript 10.05.0 or later from artifex.com. 2. Stop all Ghostscript services. 3. Install the updated version. 4. Restart services and applications using Ghostscript.

🔧 Temporary Workarounds

Disable vulnerable devices

all

Remove or disable DOCXWRITE and TXTWRITE devices if not required

Modify Ghostscript configuration to exclude -sDEVICE=docxwrite and -sDEVICE=txtwrite

Sandbox document processing

linux

Run Ghostscript in isolated containers with minimal privileges

docker run --read-only --cap-drop=ALL -v /tmp:/tmp:ro ghostscript-container

🧯 If You Can't Patch

Implement strict input validation for all document processing workflows
Deploy network segmentation to isolate Ghostscript servers from critical assets

🔍 How to Verify

Check if Vulnerable:

Run 'gs --version' and check if version is below 10.05.0

Check Version:

gs --version

Verify Fix Applied:

Confirm version is 10.05.0 or higher with 'gs --version' and test document processing

📡 Detection & Monitoring

Log Indicators:

Ghostscript crash logs
Abnormal document processing errors
Memory access violation messages

Network Indicators:

Unusual document uploads to processing services
Traffic spikes to Ghostscript ports

SIEM Query:

source="ghostscript.log" AND (error OR crash OR segmentation)

📊 Metadata

CVE ID: CVE-2025-27831

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-120

EPSS Score: 0.21% exploit probability (43.2th percentile)

Published: March 25, 2025

Last Updated: November 3, 2025

🔗 References

https://bugs.ghostscript.com/show_bug.cgi?id=708132 Issue Tracking,Patch
https://lists.debian.org/debian-lts-announce/2025/04/msg00014.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-27831, you might also want to check these: