Login Sign Up

CVE-2025-46205

8.1 HIGH
Denial of Service

📋 TL;DR

A heap-use-after-free vulnerability in PoDoFo PDF library's PdfTokenizer::ReadDictionary function allows attackers to cause Denial of Service (DoS) by processing a malicious PDF file. This affects systems using PoDoFo v0.10.0 through v0.10.5 for PDF parsing. The vulnerability is disputed by the supplier due to lack of reproducible proof.

💻 Affected Systems

Products:
  • PoDoFo PDF library
Versions: v0.10.0 to v0.10.5
Operating Systems: All platforms running PoDoFo
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using PoDoFo library for PDF parsing is affected. The vulnerability is in the core library code.

📦 What is this software?

Podofo by Podofo Project

View all CVEs affecting Podofo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application crash leading to service unavailability, potentially allowing further memory corruption attacks if combined with other vulnerabilities.

🟠

Likely Case

Application crash and Denial of Service when processing malicious PDF files, disrupting PDF-related functionality.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, though DoS risk remains if vulnerable version is exposed.

🌐 Internet-Facing: MEDIUM - PDF processing services exposed to untrusted input could be targeted, but exploit requires specific crafted files.
🏢 Internal Only: LOW - Internal systems typically process trusted PDFs, reducing attack surface.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting a specific PDF file. The vulnerability is disputed by the supplier, and no public proof-of-concept exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://github.com/podofo/podofo

Restart Required: No

Instructions:

No official patch available. Consider upgrading to latest PoDoFo version if it addresses the issue, or implement workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict validation of PDF files before processing with PoDoFo library

Sandbox PDF Processing

all

Run PoDoFo PDF parsing in isolated containers or sandboxed environments

🧯 If You Can't Patch

  • Implement network-level filtering to block suspicious PDF files
  • Monitor application logs for crashes related to PDF processing

🔍 How to Verify

Check if Vulnerable:

Check PoDoFo library version in your application. If using v0.10.0 to v0.10.5, you are potentially vulnerable.

Check Version:

Check application dependencies or build configuration for PoDoFo version

Verify Fix Applied:

Verify PoDoFo version is outside affected range (v0.10.0 to v0.10.5) or test with known malicious PDF samples if available.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes during PDF processing
  • Memory access violation errors
  • Segmentation faults in PDF parsing functions

Network Indicators:

  • Multiple failed PDF upload attempts
  • Unusual PDF file upload patterns

SIEM Query:

source="application_logs" AND ("segmentation fault" OR "access violation" OR "heap corruption") AND "pdf"

📊 Metadata

CVE ID: CVE-2025-46205
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CWE: CWE-416
EPSS Score: 0.09% exploit probability (26th percentile)
Published: October 1, 2025
Last Updated: October 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-46205, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)