Which versions of PoDoFo are affected by CVE-2025-9394?

Organizations using A flaw should be aware of moderate risk from CVE-2025-9394, a buffer overflow vulnerability rated CVSS 4.8. Exploitation could cause memory corruption or application crashes.. A patch is available.

Is there a public PoC exploit available for CVE-2025-9394?

Yes, a public proof-of-concept exploit is available for CVE-2025-9394. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-9394?

During next maintenance window: Identify affected systems and apply vendor patches when convenient. Vendor patch is available.

PoDoFo CVE-2025-9394

Q: What is the CVSS score of CVE-2025-9394?

CVE-2025-9394 has a CVSS 4.0 base score of 1.9 (Low). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Buffer Overflow (CWE-119)

2025-08-24 cna@vuldb.com

Denial Of Service Buffer Overflow

1.9

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

1.9 LOW

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

SUSE

4.3 MEDIUM

AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:11 NVD

4.8 (MEDIUM) 1.9 (LOW)

Analysis Generated

Mar 28, 2026 - 19:08 vuln.today

Patch released

Mar 28, 2026 - 19:08 nvd

Patch available

PoC Detected

Sep 12, 2025 - 20:02 vuln.today

Public exploit code

CVE Published

Aug 24, 2025 - 16:15 nvd

MEDIUM 4.8

DescriptionCVE.org

A flaw has been found in PoDoFo 1.1.0-dev. This issue affects the function PdfTokenizer::DetermineDataType of the file src/podofo/main/PdfTokenizer.cpp of the component PDF Dictionary Parser. Executing manipulation can lead to use after free. It is possible to launch the attack on the local host. The exploit has been published and may be used. This patch is called 22d16cb142f293bf956f66a4d399cdd65576d36c. A patch should be applied to remediate this issue.

AnalysisAI

A flaw has been found in PoDoFo 1.1.0-dev.cpp of the component PDF Dictionary Parser. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Buffer Overflow (CWE-119), which allows attackers to corrupt memory to execute arbitrary code or crash the application. A flaw has been found in PoDoFo 1.1.0-dev.cpp of the component PDF Dictionary Parser. Executing manipulation can lead to use after free. It is possible to launch the attack on the local host. The exploit has been published and may be used. This patch is called 22d16cb142f293bf956f66a4d399cdd65576d36c. A patch should be applied to remediate this issue. Affected products include: Podofo Project Podofo.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Use memory-safe languages or bounds-checking. Enable ASLR, DEP/NX, stack canaries. Use safe string functions.

Vendor StatusVendor

SUSE

Severity: Medium

Product	Status
SUSE Linux Enterprise Module for Package Hub 15 SP7	Fixed
openSUSE Leap 15.6	Fixed
SUSE Linux Enterprise Server 12 SP5	Fixed
SUSE Linux Enterprise Server 12 SP5-LTSS	Fixed
SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security	Fixed

CVE-2025-9394 vulnerability details – vuln.today

Back

SUSE Linux Enterprise Server LTSS Extended Security 12 SP5	Fixed
SUSE Linux Enterprise Server for SAP Applications 12 SP5	Fixed
SUSE Linux Enterprise Desktop 12	Fixed
SUSE Linux Enterprise Desktop 12 SP1	Fixed
SUSE Linux Enterprise Desktop 12 SP2	Fixed
SUSE Linux Enterprise Desktop 12 SP3	Fixed
SUSE Linux Enterprise Desktop 12 SP4	Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP4	Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5	Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6	Fixed
SUSE Linux Enterprise Server 12	Fixed
SUSE Linux Enterprise Server 12 SP1	Fixed
SUSE Linux Enterprise Server 12 SP2	Fixed
SUSE Linux Enterprise Server 12 SP3	Fixed
SUSE Linux Enterprise Server 12 SP4	Fixed
SUSE Linux Enterprise Server for SAP Applications 12	Fixed
SUSE Linux Enterprise Server for SAP Applications 12 SP1	Fixed
SUSE Linux Enterprise Server for SAP Applications 12 SP2	Fixed
SUSE Linux Enterprise Server for SAP Applications 12 SP3	Fixed
SUSE Linux Enterprise Server for SAP Applications 12 SP4	Fixed
SUSE Linux Enterprise Software Development Kit 12 SP2	Fixed
SUSE Linux Enterprise Software Development Kit 12 SP3	Fixed
SUSE Linux Enterprise Software Development Kit 12 SP4	Fixed
SUSE Linux Enterprise Software Development Kit 12 SP5	Fixed
SUSE Linux Enterprise Workstation Extension 12	Fixed
SUSE Linux Enterprise Workstation Extension 12 SP1	Fixed
SUSE Linux Enterprise Workstation Extension 12 SP2	Fixed
SUSE Linux Enterprise Workstation Extension 12 SP3	Fixed
SUSE Linux Enterprise Workstation Extension 12 SP4	Fixed
SUSE Linux Enterprise Workstation Extension 12 SP5	Fixed
openSUSE Leap 15.3	Fixed
openSUSE Leap 15.4	Fixed
openSUSE Leap 15.5	Fixed

PoDoFo CVE-2025-9394

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code