Login Sign Up

CVE-2025-63917

7.1 HIGH
Denial of Service SSRF XXE

📋 TL;DR

PDFPatcher versions up to 1.1.3.4663 contain an XML External Entity (XXE) vulnerability in the XML bookmark import functionality. Attackers can exploit this to read arbitrary files from the victim's filesystem, exfiltrate sensitive data via HTTP requests, perform SSRF attacks, or cause denial of service. Users of PDFPatcher who import XML bookmarks are affected.

💻 Affected Systems

Products:
  • PDFPatcher
Versions: through 1.1.3.4663
Operating Systems: Windows, Linux, macOS (via .NET compatibility)
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability requires user interaction to import malicious XML bookmarks; .NET framework dependency.

📦 What is this software?

Pdfpatcher by Cnblogs

View all CVEs affecting Pdfpatcher →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of sensitive files including credentials, configuration files, and personal data; SSRF attacks against internal services; system instability via DoS.

🟠

Likely Case

Exfiltration of local files containing sensitive information when users import malicious XML bookmarks.

🟢

If Mitigated

Limited impact if XML bookmark import is disabled or external network access is restricted.

🌐 Internet-Facing: LOW - PDFPatcher is a desktop application, not typically internet-facing.
🏢 Internal Only: MEDIUM - Risk exists when users import untrusted XML files within organizational environments.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user to import a malicious XML file; proof-of-concept available in GitHub references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Monitor GitHub repository for updates: https://github.com/wmjordan/PDFPatcher

🔧 Temporary Workarounds

Disable XML bookmark import

all

Prevent use of the vulnerable XML bookmark import functionality.

Use XML parser with secure settings

all

Modify source code to use XmlDocument with XmlResolver set to null or use XmlReader with secure settings.

XmlDocument doc = new XmlDocument(); doc.XmlResolver = null;

🧯 If You Can't Patch

  • Avoid importing XML bookmarks from untrusted sources.
  • Use network segmentation to restrict outbound HTTP requests from affected systems.

🔍 How to Verify

Check if Vulnerable:

Check PDFPatcher version in Help > About; if version is 1.1.3.4663 or earlier, it is vulnerable.

Check Version:

Not applicable - check via application GUI.

Verify Fix Applied:

Verify version is later than 1.1.3.4663 or check source code for secure XML parser configuration.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file access patterns via XML import
  • Outbound HTTP requests to unexpected domains during XML processing

Network Indicators:

  • HTTP requests with XML data to external servers
  • Unusual outbound traffic from PDFPatcher process

SIEM Query:

Process:PDFPatcher AND (EventID:4663 OR DestinationPort:80 OR DestinationPort:443) AND XML

📊 Metadata

CVE ID: CVE-2025-63917
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L
CWE: CWE-611
EPSS Score: 0.1% exploit probability (26.5th percentile)
Published: November 17, 2025
Last Updated: January 8, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63917, you might also want to check these:

CVE-2022-22486 10.0

This CVE describes an XML External Entity (XXE) vulnerability in IBM Tivoli Workload Scheduler that ...

Same vulnerability type (CWE-611)
CVE-2025-30220 9.9

This XXE vulnerability in GeoServer's GeoTools Schema class allows attackers to read arbitrary files...

Same vulnerability type (CWE-611)
CVE-2023-27874 9.9

IBM Aspera Faspex 4.4.2 contains an XML external entity injection (XXE) vulnerability that allows au...

Same vulnerability type (CWE-611)