Skip to main content

MuPDF CVE-2025-71382

| EUVDEUVD-2025-210322 HIGH
Uncontrolled Recursion (CWE-674)
2026-06-23 VulnCheck GHSA-mhwh-83qc-j6x4
7.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-delivered EPUB, low complexity, no privileges, user must open the file (UI:R), and impact is limited to a process crash so only A:H.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 23, 2026 - 17:51 vuln.today
Analysis Generated
Jun 23, 2026 - 17:51 vuln.today

DescriptionCVE.org

MuPDF before 1.27.0-rc1 contains an uncontrolled recursion vulnerability in the EPUB CSS rendering engine that allows remote attackers to cause a denial of service by supplying a maliciously crafted EPUB file with deeply nested HTML elements and inline CSS styles. The function value_from_inheritable_property() in css-apply.c recurses through the CSS property inheritance chain without a depth limit, exhausting the process stack and causing a crash in any application using MuPDF for EPUB rendering.

AnalysisAI

Denial of service in MuPDF before 1.27.0-rc1 allows remote attackers to crash any application embedding the library for EPUB rendering by supplying a crafted EPUB file containing deeply nested HTML elements and inline CSS. The flaw lives in the CSS property inheritance walker (value_from_inheritable_property() in css-apply.c), which recurses without a depth bound and exhausts the process stack. Publicly available exploit code exists via the Artifex bug tracker, but the issue is not listed in CISA KEV and CVSS 4.0 base is 7.1 (availability-only impact).

Technical ContextAI

MuPDF is Artifex Software's lightweight C library and viewer for rendering PDF, XPS, and EPUB documents, embedded in many third-party readers (SumatraPDF, KOReader, zathura-mupdf, and Artifex's own mupdf and mutool binaries). The root cause is CWE-674 (Uncontrolled Recursion): when the EPUB engine resolves a CSS property that is marked 'inherit' or unset, value_from_inheritable_property() recursively calls itself walking the match->up parent chain. With deeply nested DOM/CSS structures the call depth grows linearly with nesting and overruns the thread stack. The upstream commit 70b71ab22e6de4d4c44cd301c88231f623a4e94e rewrites the function as a bounded while-loop that walks match->up iteratively, eliminating the unbounded stack frames entirely.

RemediationAI

Vendor-released patch: upgrade MuPDF to 1.27.0-rc1 or any later release that includes commit 70b71ab22e6de4d4c44cd301c88231f623a4e94e, which rewrites value_from_inheritable_property() to iterate rather than recurse; downstream maintainers that vendor MuPDF should cherry-pick that single commit. If immediate upgrade is not possible, disable EPUB ingestion in the embedding application or refuse EPUB files from untrusted sources at the gateway, accepting the trade-off that legitimate EPUB content will also be blocked. For server-side conversion pipelines, additionally run MuPDF in a sandboxed worker with a short watchdog timer and automatic restart so a single crashed worker does not interrupt the queue. Vendor advisory and commit are at https://github.com/ArtifexSoftware/mupdf/releases/tag/1.27.0-rc1 and https://github.com/ArtifexSoftware/mupdf/commit/70b71ab22e6de4d4c44cd301c88231f623a4e94e.

Share

CVE-2025-71382 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy