CVE-2025-59933 Overview
CVE-2025-59933 is a buffer read overflow vulnerability in libvips, a demand-driven, horizontally threaded image processing library. The flaw affects versions 8.17.1 and below when libvips is compiled with PDF input support via poppler. The pdfload operation reads beyond allocated memory when parsing the header of a crafted PDF containing a page that defines a width but omits a height. Builds compiled without PDF support or using PDFium for PDF input are unaffected. The issue is fixed in libvips 8.17.2.
Critical Impact
A crafted PDF processed by pdfload can trigger an out-of-bounds read [CWE-126] that leaks adjacent memory contents or causes process termination, impacting any service that ingests untrusted PDFs through libvips with poppler.
Affected Products
- libvips versions 8.17.1 and earlier (when compiled with poppler PDF support)
- Applications and services embedding libvips for PDF rendering via VipsForeignLoadPdf
- Image processing pipelines that accept untrusted PDF uploads
Discovery Timeline
- 2025-09-29 - CVE-2025-59933 published to NVD
- 2025-12-24 - Last updated in NVD database
Technical Details for CVE-2025-59933
Vulnerability Analysis
The vulnerability resides in the libvips poppler PDF loader, invoked through the pdfload operation. When libvips parses page metadata from a PDF, it expects both width and height dimensions to be present and validated. A crafted PDF that declares a page width but omits the page height causes the loader to read memory past the boundary of the parsed header buffer. This is classified as a buffer read overflow [CWE-126].
The issue is constrained to builds linked against poppler. The alternative PDFium-based loader (pdfiumload) is not affected because it performs independent size validation. Successful exploitation requires the attacker to supply or coerce processing of a malicious PDF, which is a realistic vector for web services that accept PDF uploads for thumbnailing, conversion, or rasterization.
Root Cause
The root cause is missing validation of poppler page geometry before downstream consumers operate on the loaded page. The upstream fix adds a sanity check on the loaded VipsObject and validates the page size returned by poppler and the SVG loader. Without this check, a NULL or zero-initialized height combined with a non-zero width drives buffer math that exceeds the source region.
Attack Vector
Exploitation requires the target application to invoke pdfload on attacker-controlled PDF content. The CVSS vector indicates a local attack vector with low complexity and no privileges or user interaction beyond submitting the file. In typical deployments (image processing workers, document conversion services), an attacker uploads a crafted PDF that defines a page width without a height, triggering the out-of-bounds read during header parsing.
* If the load fails, we need to stop.
*/
if (class->load(load) ||
+ !vips_object_sanity(VIPS_OBJECT(load->real)) ||
vips_image_pio_input(load->real) ||
!vips_foreign_load_iscompat(load->real, out)) {
vips_operation_invalidate(VIPS_OPERATION(load));
Source: libvips commit a58bfae — the patch inserts vips_object_sanity() into the foreign loader path so malformed page geometry from poppler or SVG is rejected before further processing.
Detection Methods for CVE-2025-59933
Indicators of Compromise
- Crashes or abnormal terminations in worker processes that invoke libvips pdfload on user-supplied PDFs
- PDF files containing page objects with a defined /MediaBox width but missing or zero height values
- Unexpected memory contents appearing in rendered output thumbnails or conversion artifacts from PDF inputs
Detection Strategies
- Inventory all hosts and containers running libvips and identify whether builds link against poppler (vips --vips-config reports enabled loaders)
- Flag any libvips installation reporting a version at or below 8.17.1 with poppler PDF support enabled
- Inspect PDF intake pipelines for files whose page dictionary defines width without a matching height
Monitoring Recommendations
- Monitor image and document processing workers for segmentation faults, ASan reports, or unexpected exits correlated with PDF inputs
- Log invocations of VipsForeignLoadPdf and alert on processing failures originating from pdfload
- Track outbound responses from conversion services for anomalously sized or partially rendered PDF outputs that may indicate memory disclosure
How to Mitigate CVE-2025-59933
Immediate Actions Required
- Upgrade libvips to version 8.17.2 or later on all affected systems
- For environments that cannot patch immediately, block the VipsForeignLoadPdf operation via vips_operation_block_set in the host application
- Alternatively, set the VIPS_BLOCK_UNTRUSTED environment variable at runtime to disable all untrusted loaders, including poppler PDF input
- Rebuild libvips against PDFium instead of poppler if PDF support is required and patching is delayed
Patch Information
The fix is included in libvips 8.17.2. The relevant upstream change validates poppler and SVG page sizes and adds a sanity check on loaded foreign objects. See the libvips 8.17.2 release notes, the GHSA-q8px-4w5q-c2r4 advisory, and the upstream patch commit.
8.17.2
- rank: fix an off-by-one error [larsmaxfield]
+- popplerload, svgload: validate page size [Yang Luo]
- pdfiumload: allow both dpi and scale to be set [kleisauke]
7/7/25 8.17.1
Source: libvips ChangeLog
Workarounds
- Set VIPS_BLOCK_UNTRUSTED=1 in the runtime environment of any service invoking libvips on user-supplied content
- Call vips_operation_block_set("VipsForeignLoadPdf", TRUE) during application initialization to disable the poppler PDF loader
- Reject PDF uploads at the application boundary until the libvips dependency is updated to 8.17.2 or later
# Disable all untrusted libvips loaders, including poppler PDF input
export VIPS_BLOCK_UNTRUSTED=1
# Verify libvips version and enabled loaders
vips --version
vips --vips-config | grep -i pdf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
