CVE-2025-64512 Overview
CVE-2025-64512 is an insecure deserialization vulnerability in pdfminer.six, a community-maintained Python library for extracting text and metadata from PDF documents. Versions prior to 20251107 execute arbitrary code when processing a crafted PDF file that references a malicious pickle archive. The CMapDB._load_data() function calls pickle.loads() on files ending in .pickle.gz, and a malicious PDF can redirect the loader to an attacker-controlled path. The flaw is tracked under [CWE-502: Deserialization of Untrusted Data] and was fixed in release 20251107.
Critical Impact
A malicious PDF processed by pdfminer.six can trigger arbitrary code execution in the context of the user running the parser, enabling local compromise of document-processing pipelines, automation servers, and developer workstations.
Affected Products
- pdfminer.six versions prior to 20251107
- Debian Linux 11 (LTS) packaged distributions of pdfminer.six
- Downstream Python applications that embed pdfminer.six for PDF parsing
Discovery Timeline
- 2025-11-10 - CVE-2025-64512 published to NVD
- 2025-11-07 - pdfminer.six release 20251107 published with the fix
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-64512
Vulnerability Analysis
The vulnerability resides in the character map (CMap) loading routine of pdfminer.six. PDF documents reference CMap resources by name when decoding font character codes, and pdfminer.six resolves those names against a bundled cmap/ directory using pickle.loads() on gzip-compressed pickle files. Because Python's pickle module executes arbitrary callables during deserialization, any attacker who controls the pickle bytes controls code execution. The library trusted the CMap name supplied inside the PDF without constraining it to the bundled directory, so a malicious document can specify an alternative directory and filename as long as the filename ends in .pickle.gz.
Exploitation requires the victim to process an attacker-supplied PDF. Document conversion services, OCR pipelines, search indexers, and CI tooling that ingest untrusted PDFs are the primary exposure surface.
Root Cause
Two defects combine to produce the issue. First, CMapDB._load_data() performs unsafe deserialization with pickle.loads() on file contents whose path is influenced by PDF input. Second, the path resolution permits directory traversal because the joined path is not validated against the intended cmap/ parent directory before being opened.
Attack Vector
An attacker stages a malicious .pickle.gz file in a location reachable by the victim process, such as an extracted archive, a writable temp directory, or a network share mounted locally. The attacker then delivers a PDF whose font resources reference that pickle path. When pdfminer.six parses the document, pickle.loads() reconstructs attacker-defined objects and invokes their __reduce__ payload, yielding code execution under the parsing process's identity.
)
for directory in cmap_paths:
path = os.path.join(directory, filename)
- if os.path.exists(path):
- gzfile = gzip.open(path)
+ # Resolve paths to prevent directory traversal
+ resolved_path = os.path.realpath(path)
+ resolved_directory = os.path.realpath(directory)
+ # Check if resolved path is within the intended directory
+ if not resolved_path.startswith(resolved_directory + os.sep):
+ continue
+ if os.path.exists(resolved_path):
+ gzfile = gzip.open(resolved_path)
try:
return type(str(name), (), pickle.loads(gzfile.read()))
finally:
Source: pdfminer.six commit b808ee0 - The patch normalizes the candidate path with os.path.realpath() and rejects any resolved path that escapes the intended CMap directory, preventing PDF-controlled traversal into attacker-staged pickle files.
Detection Methods for CVE-2025-64512
Indicators of Compromise
- Presence of unexpected .pickle.gz files outside the pdfminer/cmap/ package directory, especially in temp, upload, or shared directories.
- Python processes running pdfminer.six spawning shells, network clients, or compilers immediately after PDF ingestion.
- PDF samples whose font CMap resource names include path separators (/, \, ..) or absolute paths.
Detection Strategies
- Inventory installed pdfminer.six versions across endpoints, build agents, and containers; flag any release earlier than 20251107.
- Hunt for child processes of Python interpreters that loaded pdfminer modules, correlating PDF file opens with subsequent process creation events.
- Inspect captured PDFs for /CMap or /Encoding entries referencing non-standard CMap names, which is uncommon in benign documents.
Monitoring Recommendations
- Forward process-creation and file-access telemetry from PDF-processing servers into your SIEM or data lake for retroactive hunting.
- Alert on writes of files matching *.pickle.gz outside known package install paths.
- Track outbound network connections originating from document parsing workers, which should normally be silent.
How to Mitigate CVE-2025-64512
Immediate Actions Required
- Upgrade pdfminer.six to version 20251107 or later across all environments that ingest PDFs.
- Audit dependent packages (for example pdfplumber) and rebuild containers or virtual environments to pull the patched release transitively.
- Quarantine any recently received PDFs from untrusted sources until parsing hosts are patched.
Patch Information
The fix is delivered in pdfminer.six release 20251107 via commit b808ee05dd7f0c8ea8ec34bdf394d40e63501086. Distribution-specific updates are tracked in the Debian LTS announcement (November 2025) and Debian LTS announcement (January 2026). Additional details are published in GitHub Security Advisory GHSA-wf5f-4jwr-ppcp.
Workarounds
- Run PDF parsing in a sandboxed, non-privileged process with no outbound network access and an ephemeral filesystem.
- Restrict the working directory of the parser so that no writable location contains .pickle.gz files reachable by traversal.
- Validate PDFs before processing and reject documents that reference CMap names containing path separators.
# Upgrade to the patched release
pip install --upgrade 'pdfminer.six>=20251107'
# Verify the installed version
python -c "import pdfminer; print(pdfminer.__version__)"
# Debian / Ubuntu LTS
sudo apt update && sudo apt install --only-upgrade python3-pdfminer
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
