CVE-2025-43718

| EUVD-2025-32701 LOW
2025-10-01 [email protected]
2.9
CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 13, 2026 - 18:18 vuln.today
EUVD ID Assigned
Mar 13, 2026 - 18:18 euvd
EUVD-2025-32701
CVE Published
Oct 01, 2025 - 19:15 nvd
LOW 2.9

Tags

Information Disclosure Ubuntu Debian

Description

Poppler 24.06.1 through 25.x before 25.04.0 allows stack consumption and a SIGSEGV via deeply nested structures within the metadata (such as GTS_PDFEVersion) of a PDF document, e.g., a regular expression for a long pdfsubver string. This occurs in Dict::lookup, Catalog::getMetadata, and associated functions in PDFDoc, with deep recursion in the regex executor (std::__detail::_Executor).

Analysis

Poppler 24.06.1 through 25.x before 25.04.0 allows stack consumption and a SIGSEGV via deeply nested structures within the metadata (such as GTS_PDFEVersion) of a PDF document, e.g., a regular expression for a long pdfsubver string. This occurs in Dict::lookup, Catalog::getMetadata, and associated functions in PDFDoc, with deep recursion in the regex executor (std::__detail::_Executor).

Technical Context

A denial of service vulnerability allows an attacker to disrupt the normal functioning of a system, making it unavailable to legitimate users. This vulnerability is classified as Uncontrolled Recursion (CWE-674).

Affected Products

Affected: PDFDoc

Remediation

Implement rate limiting and input validation. Use timeout mechanisms for resource-intensive operations. Deploy DDoS protection where applicable.

Priority Score

15
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +14
POC: 0

Vendor Status

Ubuntu

Priority: Medium
poppler
Release Status Version
xenial needs-triage -
bionic needs-triage -
focal needs-triage -
plucky released 25.03.0-3ubuntu1.3
upstream released 25.03.0-10
jammy released 22.02.0-2ubuntu0.11
noble released 24.02.0-1ubuntu9.7
questing released 25.03.0-10
USN-7803-1

Debian

Bug #1117046
poppler
Release Status Fixed Version Urgency
bullseye vulnerable 20.09.0-3.1+deb11u1 -
bullseye (security) vulnerable 20.09.0-3.1+deb11u2 -
bookworm vulnerable 22.12.0-2+deb12u1 -
trixie vulnerable 25.03.0-5+deb13u2 -
forky, sid fixed 25.03.0-11.1 -
(unstable) fixed 25.03.0-10 -

Share

CVE-2025-43718 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy