CVE-2025-70559
📋 TL;DR
pdfminer.six contains an insecure deserialization vulnerability where Python pickle is used to deserialize CMap cache files without validation. An attacker who can place a malicious pickle file in an accessible location can trigger arbitrary code execution when the file is loaded. This affects applications using vulnerable versions of pdfminer.six for PDF processing.
💻 Affected Systems
- pdfminer.six
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, or ransomware deployment.
Likely Case
Local privilege escalation or code execution in contexts where attackers can write files to cache directories.
If Mitigated
Limited impact if proper file permissions prevent unauthorized cache file writes.
🎯 Exploit Status
Exploitation requires ability to write malicious pickle files to CMap cache directory. This is an incomplete patch of CVE-2025-64512.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 20251230
Vendor Advisory: https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-f83h-ghpp-7wcc
Restart Required: No
Instructions:
1. Update pdfminer.six to version 20251230 or later using pip: pip install --upgrade pdfminer.six>=20251230
2. Verify the update with: pip show pdfminer.six
3. Clear existing CMap cache if previously used.
🔧 Temporary Workarounds
Disable CMap Caching
allPrevent use of pickle deserialization by disabling CMap file caching.
Set environment variable: PDFMINER_CMAP_CACHE='' or configure application to not use caching.
Restrict Cache Directory Permissions
linuxLimit write access to CMap cache directory to prevent malicious file placement.
chmod 755 /path/to/cache/directory
chown root:root /path/to/cache/directory
🧯 If You Can't Patch
- Disable CMap caching entirely via environment variable or configuration.
- Implement strict file permissions on cache directories and monitor for unauthorized file writes.
🔍 How to Verify
Check if Vulnerable:
Check pdfminer.six version: pip show pdfminer.six | grep VersionCheck Version:
pip show pdfminer.six | grep VersionVerify Fix Applied:
Confirm version is 20251230 or later: pip show pdfminer.six | grep Version📡 Detection & Monitoring
Log Indicators:
- Unexpected Python pickle loading errors
- Unusual file writes to CMap cache directories
- Process execution from PDF parsing contexts
Network Indicators:
- None - this is a local file system vulnerability
SIEM Query:
Process execution where parent process is PDF-related and command contains suspicious payloads