Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered EPUB, low complexity, no privileges, user must open the file (UI:R), and impact is limited to a process crash so only A:H.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
MuPDF before 1.27.0-rc1 contains an uncontrolled recursion vulnerability in the EPUB CSS rendering engine that allows remote attackers to cause a denial of service by supplying a maliciously crafted EPUB file with deeply nested HTML elements and inline CSS styles. The function value_from_inheritable_property() in css-apply.c recurses through the CSS property inheritance chain without a depth limit, exhausting the process stack and causing a crash in any application using MuPDF for EPUB rendering.
AnalysisAI
Denial of service in MuPDF before 1.27.0-rc1 allows remote attackers to crash any application embedding the library for EPUB rendering by supplying a crafted EPUB file containing deeply nested HTML elements and inline CSS. The flaw lives in the CSS property inheritance walker (value_from_inheritable_property() in css-apply.c), which recurses without a depth bound and exhausts the process stack. Publicly available exploit code exists via the Artifex bug tracker, but the issue is not listed in CISA KEV and CVSS 4.0 base is 7.1 (availability-only impact).
Technical ContextAI
MuPDF is Artifex Software's lightweight C library and viewer for rendering PDF, XPS, and EPUB documents, embedded in many third-party readers (SumatraPDF, KOReader, zathura-mupdf, and Artifex's own mupdf and mutool binaries). The root cause is CWE-674 (Uncontrolled Recursion): when the EPUB engine resolves a CSS property that is marked 'inherit' or unset, value_from_inheritable_property() recursively calls itself walking the match->up parent chain. With deeply nested DOM/CSS structures the call depth grows linearly with nesting and overruns the thread stack. The upstream commit 70b71ab22e6de4d4c44cd301c88231f623a4e94e rewrites the function as a bounded while-loop that walks match->up iteratively, eliminating the unbounded stack frames entirely.
RemediationAI
Vendor-released patch: upgrade MuPDF to 1.27.0-rc1 or any later release that includes commit 70b71ab22e6de4d4c44cd301c88231f623a4e94e, which rewrites value_from_inheritable_property() to iterate rather than recurse; downstream maintainers that vendor MuPDF should cherry-pick that single commit. If immediate upgrade is not possible, disable EPUB ingestion in the embedding application or refuse EPUB files from untrusted sources at the gateway, accepting the trade-off that legitimate EPUB content will also be blocked. For server-side conversion pipelines, additionally run MuPDF in a sandboxed worker with a short watchdog timer and automatic restart so a single crashed worker does not interrupt the queue. Vendor advisory and commit are at https://github.com/ArtifexSoftware/mupdf/releases/tag/1.27.0-rc1 and https://github.com/ArtifexSoftware/mupdf/commit/70b71ab22e6de4d4c44cd301c88231f623a4e94e.
MuPDF versions 1.23.0 through 1.27.0 are vulnerable to a double-free memory corruption flaw in the display list renderin
An issue in Artifex mupdf 1.25.6, 1.25.5 allows a remote attacker to cause a denial of service via an infinite recursion
Heap overflow in MuPDF 1.27.0 PDF parser enables arbitrary code execution when victims open maliciously crafted PDF file
A null pointer dereference occurs in the function break_word_for_overflow_wrap() in MuPDF 1.26.4 when rendering a malfor
Out-of-bounds read in Artifex MuPDF up to version 1.28.0 within the CFF Index Handler's fz_subset_cff_for_gids function
MuPDF mutool fails to sanitize PDF metadata before displaying it in terminal output, allowing local attackers to inject
Same weakness CWE-674 – Uncontrolled Recursion
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210322
GHSA-mhwh-83qc-j6x4