CVE-2025-55780 Overview
A null pointer dereference vulnerability exists in MuPDF 1.26.4, specifically within the break_word_for_overflow_wrap() function used during EPUB document rendering. When processing a malformed EPUB document, the function calls fz_html_split_flow() to split a FLOW_WORD node but fails to validate whether node->next is a valid pointer before accessing node->next->overflow_wrap. This results in a crash if the split operation fails or returns an incomplete node chain.
Critical Impact
Processing malicious EPUB files can crash applications using MuPDF, causing denial of service conditions in document viewers, readers, and any software embedding the MuPDF library.
Affected Products
- Artifex MuPDF 1.26.4
- Applications embedding MuPDF for EPUB rendering
- Document processing systems utilizing MuPDF library
Discovery Timeline
- 2025-09-23 - CVE-2025-55780 published to NVD
- 2025-10-08 - Last updated in NVD database
Technical Details for CVE-2025-55780
Vulnerability Analysis
This vulnerability is classified as CWE-476 (NULL Pointer Dereference), a memory corruption flaw that occurs when an application attempts to dereference a pointer that is expected to be valid but is actually NULL.
The vulnerable code path exists in the EPUB rendering engine of MuPDF, specifically in the text layout and word wrapping functionality. When the break_word_for_overflow_wrap() function processes text nodes that need to be split for overflow wrapping purposes, it calls fz_html_split_flow() to divide a FLOW_WORD node into smaller segments.
The core issue is a missing validation check: after the split operation completes, the code immediately accesses node->next->overflow_wrap without first verifying that node->next points to a valid node structure. In scenarios where the split fails or produces an incomplete node chain (such as when processing malformed EPUB content), this unchecked access triggers a null pointer dereference, causing an immediate application crash.
Root Cause
The root cause is insufficient input validation and missing null pointer checks in the HTML/EPUB rendering flow control logic. The fz_html_split_flow() function can return partial or empty node chains under certain malformed input conditions, but the calling code in break_word_for_overflow_wrap() assumes the operation always succeeds and produces valid linked list structures.
Attack Vector
This vulnerability can be exploited remotely without authentication. An attacker can craft a malicious EPUB file with specially constructed content that triggers the vulnerable code path during rendering. When a user opens this malformed document using any application that relies on MuPDF for EPUB processing, the null pointer dereference occurs, crashing the application.
The attack scenario requires user interaction (opening a malicious file), but the crafted EPUB can be distributed through various channels including email attachments, websites, or file sharing platforms. Since this is a denial of service vulnerability affecting availability, it does not enable arbitrary code execution or data theft, but can disrupt document viewing workflows and potentially be used in targeted attacks against specific users or systems.
Technical details and proof-of-concept materials are available through the GitHub PoC repository referenced in the vulnerability disclosure.
Detection Methods for CVE-2025-55780
Indicators of Compromise
- Application crashes when opening specific EPUB files
- Crash dumps showing null pointer dereference in break_word_for_overflow_wrap() function
- Repeated segmentation faults in processes using MuPDF library during document rendering
Detection Strategies
- Monitor for application crashes in document viewers and EPUB readers that utilize MuPDF
- Implement file inspection for malformed EPUB structures before processing
- Deploy application stability monitoring for MuPDF-dependent services
Monitoring Recommendations
- Enable crash reporting and analysis for applications using MuPDF library
- Log and alert on repeated document rendering failures from the same source
- Monitor for unusual EPUB file characteristics in email gateways and file upload systems
How to Mitigate CVE-2025-55780
Immediate Actions Required
- Update MuPDF to a patched version that includes the fix from commit bdd5d241748807378a78a622388e0312332513c5
- Restrict processing of untrusted EPUB files until patches are applied
- Implement file type filtering to quarantine suspicious EPUB documents
Patch Information
Artifex has addressed this vulnerability through a code commit that adds proper null pointer validation before accessing node->next->overflow_wrap. The fix is available in the MuPDF commit bdd5d2417488.
Organizations should review the Ghostscript Bug Report #708720 for additional details on the vulnerability and patch verification.
Workarounds
- Disable EPUB rendering functionality if not required in your deployment
- Use alternative document viewers for untrusted EPUB content until MuPDF is updated
- Implement input sanitization and validation for EPUB files before processing with MuPDF
- Consider sandboxing MuPDF-based applications to limit crash impact on system stability
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
