CVE-2025-64486
📋 TL;DR
This vulnerability in calibre e-book manager allows attackers to write arbitrary files to the filesystem when processing malicious FB2 (FictionBook) files. This can lead to arbitrary code execution on affected systems. Users running calibre versions 8.13.0 and earlier are vulnerable when viewing or converting untrusted FB2 files.
💻 Affected Systems
- calibre
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through arbitrary code execution, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Local file system corruption, data loss, or limited code execution in user context when processing malicious FB2 files from untrusted sources.
If Mitigated
No impact if proper file validation is implemented or if only trusted FB2 files are processed.
🎯 Exploit Status
Exploitation requires user interaction to open a malicious FB2 file. No authentication needed once file is processed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.14.0
Vendor Advisory: https://github.com/kovidgoyal/calibre/security/advisories/GHSA-hpwq-c98h-xp8g
Restart Required: No
Instructions:
1. Update calibre to version 8.14.0 or later. 2. On Linux/macOS: Use package manager or 'calibre --update'. 3. On Windows: Download latest installer from calibre-ebook.com. 4. Verify version with 'calibre --version'.
🔧 Temporary Workarounds
Disable FB2 file processing
allPrevent calibre from processing FB2 files by removing or disabling FB2 support
# No simple command available - requires modifying calibre configuration or removing FB2 plugin
Use sandboxed environment
linuxRun calibre in isolated container or virtual machine when processing untrusted files
docker run --rm -v /path/to/books:/books linuxserver/calibre
# Example using Docker container
🧯 If You Can't Patch
- Avoid opening FB2 files from untrusted sources in calibre
- Use alternative software for FB2 file processing until patched
🔍 How to Verify
Check if Vulnerable:
Check calibre version with 'calibre --version'. If version is 8.13.0 or earlier, system is vulnerable.Check Version:
calibre --versionVerify Fix Applied:
After updating, verify version is 8.14.0 or later with 'calibre --version'.📡 Detection & Monitoring
Log Indicators:
- Unusual file write operations during FB2 processing
- Multiple failed file validation attempts
Network Indicators:
- Download of FB2 files from untrusted sources followed by calibre process activity
SIEM Query:
process_name:"calibre" AND (file_write:* OR process_create:*) AND file_extension:".fb2"