CVE-2025-64512 – CVE-2025-64512 is a remote code execution vulne... (How to Fix)

Q: What is the severity of CVE-2025-64512?

CVE-2025-64512 has a CVSS score of 8.6 (HIGH). CVE-2025-64512 is a remote code execution vulnerability in pdfminer.six where malicious PDF files can trigger deserialization of arbitrary pickle files, leading to arbitrary code execution. This affects any application or service that processes PDF files using vulnerable versions of pdfminer.six. The vulnerability is particularly dangerous because it can be exploited without user interaction in automated PDF processing systems.

📋 TL;DR

CVE-2025-64512 is a remote code execution vulnerability in pdfminer.six where malicious PDF files can trigger deserialization of arbitrary pickle files, leading to arbitrary code execution. This affects any application or service that processes PDF files using vulnerable versions of pdfminer.six. The vulnerability is particularly dangerous because it can be exploited without user interaction in automated PDF processing systems.

💻 Affected Systems

Products:

pdfminer.six

Versions: All versions prior to 20251107

Operating Systems: All operating systems where pdfminer.six is installed

Default Config Vulnerable: ⚠️ Yes

Notes: Any application or service that uses pdfminer.six to process PDF files is vulnerable, including web applications, document processing pipelines, and automated systems.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Pdfminer.six by Pdfminer

View all CVEs affecting Pdfminer.six →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the affected system, enabling data theft, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Arbitrary code execution in the context of the PDF processing application, potentially leading to data exfiltration, cryptocurrency mining, or ransomware deployment.

🟢

If Mitigated

Limited impact if proper sandboxing and least privilege principles are implemented, potentially restricting damage to isolated containers or limited user contexts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is straightforward to exploit with a specially crafted PDF file. Public proof-of-concept code exists in the advisory references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 20251107

Vendor Advisory: https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-wf5f-4jwr-ppcp

Restart Required: No

Instructions:

1. Update pdfminer.six to version 20251107 or later using pip: 'pip install --upgrade pdfminer.six>=20251107' 2. Verify the update with: 'pip show pdfminer.six' 3. Restart any services or applications using pdfminer.six to ensure they load the patched version.

🔧 Temporary Workarounds

Restrict PDF Processing

all

Temporarily disable PDF processing in affected applications until patching is complete.

Sandbox PDF Processing

linux

Run pdfminer.six in isolated containers or sandboxed environments with minimal privileges.

docker run --read-only --cap-drop=ALL -v /tmp:/tmp:ro your_application

🧯 If You Can't Patch

Implement strict input validation to reject PDF files with suspicious CMap references or pickle file paths.
Deploy runtime application self-protection (RASP) or WAF rules to detect and block exploitation attempts targeting pickle deserialization.

🔍 How to Verify

Check if Vulnerable:

Check the installed version of pdfminer.six: 'pip show pdfminer.six | grep Version' - if version is earlier than 20251107, the system is vulnerable.

Check Version:

pip show pdfminer.six | grep Version

Verify Fix Applied:

Verify the version is 20251107 or later: 'pip show pdfminer.six | grep Version' should show 'Version: 20251107' or higher.

📡 Detection & Monitoring

Log Indicators:

Unusual process execution from PDF processing services
Errors related to pickle deserialization or CMap loading
Outbound connections from PDF processing systems to unknown IPs

Network Indicators:

Unexpected outbound network traffic from PDF processing systems
DNS requests to suspicious domains from PDF processing services

SIEM Query:

source="pdfminer" AND (event="pickle.loads" OR event="CMapDB._load_data")

📊 Metadata

CVE ID: CVE-2025-64512

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-502

EPSS Score: 0.07% exploit probability (22th percentile)

Published: November 10, 2025

Last Updated: January 8, 2026

🔗 References

https://github.com/pdfminer/pdfminer.six/commit/b808ee05dd7f0c8ea8ec34bdf394d40e63501086 Patch
https://github.com/pdfminer/pdfminer.six/releases/tag/20251107 Release Notes
https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-wf5f-4jwr-ppcp Exploit,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2025/11/msg00017.html Mailing List
https://lists.debian.org/debian-lts-announce/2026/01/msg00005.html
https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-wf5f-4jwr-ppcp Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64512, you might also want to check these: