Login Sign Up

CVE-2025-46206

6.5 MEDIUM
Denial of Service

📋 TL;DR

This vulnerability allows remote attackers to cause denial of service in Artifex mupdf by exploiting infinite recursion in the strip_outline() function when processing malicious PDF files with cyclic /Next references. It affects users of mupdf versions 1.25.5 and 1.25.6 who process untrusted PDF files, particularly through the mutool clean utility.

💻 Affected Systems

Products:
  • Artifex mupdf
  • mutool utility
Versions: 1.25.5, 1.25.6
Operating Systems: All platforms running mupdf
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability is triggered when processing PDF files with cyclic outline references through mutool clean or similar functionality.

📦 What is this software?

Mupdf by Artifex

View all CVEs affecting Mupdf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption of mupdf/mutool processes, potentially causing system resource exhaustion and affecting availability of PDF processing services.

🟠

Likely Case

Denial of service affecting mupdf/mutool processes when processing malicious PDF files, requiring process termination and restart.

🟢

If Mitigated

Limited impact with proper input validation and process isolation, though PDF processing may still fail.

🌐 Internet-Facing: MEDIUM - Exploitable if mupdf processes untrusted PDFs from external sources, but requires specific PDF processing scenarios.
🏢 Internal Only: LOW - Typically requires user interaction or specific PDF processing workflows to trigger.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Proof of concept available on GitHub, requires user or system to process a crafted PDF file.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 0ec7e4d2201bb6df217e01c17396d36297abf9ac and later versions

Vendor Advisory: https://bugs.ghostscript.com/show_bug.cgi?id=708521

Restart Required: No

Instructions:

1. Update mupdf to latest version from official repository. 2. Apply patch from commit 0ec7e4d2201bb6df217e01c17396d36297abf9ac. 3. Recompile if using source distribution.

🔧 Temporary Workarounds

Input validation for PDF files

all

Implement PDF file validation before processing with mupdf/mutool

Process isolation

all

Run mupdf/mutool in isolated containers or with resource limits

docker run --memory=512m --cpus=1 your_mupdf_container

🧯 If You Can't Patch

  • Implement strict PDF file source validation and only process trusted PDFs
  • Use alternative PDF processing tools for untrusted PDFs

🔍 How to Verify

Check if Vulnerable:

Check mupdf version and test with known malicious PDF sample from GitHub repository

Check Version:

mutool --version

Verify Fix Applied:

Test with same malicious PDF and verify no infinite recursion occurs

📡 Detection & Monitoring

Log Indicators:

  • High CPU usage by mupdf processes
  • Process termination due to resource exhaustion
  • Repeated mutool clean failures

Network Indicators:

  • PDF file downloads followed by high resource usage

SIEM Query:

ProcessName="mutool" AND (CPUUsage>90 OR MemoryUsage>90)

📊 Metadata

CVE ID: CVE-2025-46206
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE: CWE-674
EPSS Score: 0.22% exploit probability (44.6th percentile)
Published: August 4, 2025
Last Updated: October 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-46206, you might also want to check these:

CVE-2023-51803 9.8

This vulnerability in Heimdall allows attackers to upload malicious icons containing PHP code, poten...

Same vulnerability type (CWE-674)
CVE-2024-37973 8.8

CVE-2024-37973 is a Secure Boot security feature bypass vulnerability that allows attackers to circu...

Same vulnerability type (CWE-674)
CVE-2024-20311 8.6

An unauthenticated remote attacker can send specially crafted LISP packets to vulnerable Cisco devic...

Same vulnerability type (CWE-674)