Skip to main content

Ubuntu CVE-2025-43718

| EUVDEUVD-2025-32701 LOW
Uncontrolled Recursion (CWE-674)
2025-10-01 cve@mitre.org
2.9
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
2.9 LOW
AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Ubuntu
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 13, 2026 - 18:18 euvd
EUVD-2025-32701
Analysis Generated
Mar 13, 2026 - 18:18 vuln.today
CVE Published
Oct 01, 2025 - 19:15 nvd
LOW 2.9

DescriptionCVE.org

Poppler 24.06.1 through 25.x before 25.04.0 allows stack consumption and a SIGSEGV via deeply nested structures within the metadata (such as GTS_PDFEVersion) of a PDF document, e.g., a regular expression for a long pdfsubver string. This occurs in Dict::lookup, Catalog::getMetadata, and associated functions in PDFDoc, with deep recursion in the regex executor (std::__detail::_Executor).

Analysis

Poppler 24.06.1 through 25.x before 25.04.0 allows stack consumption and a SIGSEGV via deeply nested structures within the metadata (such as GTS_PDFEVersion) of a PDF document, e.g., a regular expression for a long pdfsubver string. This occurs in Dict::lookup, Catalog::getMetadata, and associated functions in PDFDoc, with deep recursion in the regex executor (std::__detail::_Executor).

Technical ContextAI

A denial of service vulnerability allows an attacker to disrupt the normal functioning of a system, making it unavailable to legitimate users. This vulnerability is classified as Uncontrolled Recursion (CWE-674).

RemediationAI

Implement rate limiting and input validation. Use timeout mechanisms for resource-intensive operations. Deploy DDoS protection where applicable.

Vendor StatusVendor

Ubuntu

Priority: Medium
poppler
Release Status Version
xenial needs-triage -
bionic needs-triage -
focal needs-triage -
plucky released 25.03.0-3ubuntu1.3
upstream released 25.03.0-10
jammy released 22.02.0-2ubuntu0.11
noble released 24.02.0-1ubuntu9.7
questing released 25.03.0-10

Debian

Bug #1117046
poppler
Release Status Fixed Version Urgency
bullseye vulnerable 20.09.0-3.1+deb11u1 -
bullseye (security) vulnerable 20.09.0-3.1+deb11u2 -
bookworm vulnerable 22.12.0-2+deb12u1 -
trixie vulnerable 25.03.0-5+deb13u2 -
forky, sid fixed 25.03.0-11.1 -
(unstable) fixed 25.03.0-10 -

Share

CVE-2025-43718 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy