CVE-2025-66499: Foxit PDF Editor Buffer Overflow Flaw

CVE-2025-66499 Overview

CVE-2025-66499 is a heap-based buffer overflow vulnerability in the PDF parsing engine of Foxit PDF Reader and Foxit PDF Editor. The flaw occurs when the application processes specially crafted JBIG2 image data embedded in a PDF document. An integer overflow during the calculation of the image buffer size leads to undersized memory allocation, followed by an out-of-bounds heap write. A remote attacker can exploit this issue to execute arbitrary code in the context of the user opening the malicious PDF. The vulnerability is tracked under CWE-190: Integer Overflow or Wraparound and affects Foxit products running on Microsoft Windows and Apple macOS.

Critical Impact
A remote attacker can achieve arbitrary code execution on a target system by convincing a user to open a crafted PDF file containing malformed JBIG2 image data.

Affected Products

Foxit PDF Reader (Windows and macOS)
Foxit PDF Editor (Windows and macOS)
PDF documents containing crafted JBIG2 image streams

Discovery Timeline

2025-12-19 - CVE-2025-66499 published to the National Vulnerability Database (NVD)
2025-12-23 - Last updated in NVD database

Technical Details for CVE-2025-66499

Vulnerability Analysis

The vulnerability resides in the JBIG2 image decoder used by Foxit PDF Reader and Foxit PDF Editor during PDF parsing. JBIG2 is a bi-level image compression format frequently embedded in PDF documents to encode scanned content. When the decoder calculates the size of the destination image buffer based on attacker-controlled width, height, or stride fields, an arithmetic operation wraps around the integer maximum. The application then allocates a buffer that is significantly smaller than the data subsequently written into it. Decoded pixel data overflows the heap allocation, corrupting adjacent memory structures.

An attacker can leverage this corruption to overwrite function pointers, virtual table entries, or heap metadata. Successful exploitation results in arbitrary code execution at the privilege level of the user opening the document.

Root Cause

The root cause is an integer overflow in the buffer size calculation logic of the JBIG2 parser. Multiplying user-controlled image dimensions without proper bounds checking produces a truncated value. The undersized allocation is then filled by the decompression routine, which operates on the full uncontrolled length, producing a classic heap-based buffer overflow.

Attack Vector

Exploitation requires user interaction. An attacker delivers a crafted PDF document containing malformed JBIG2 image data through email attachments, drive-by downloads, instant messaging, or shared file repositories. When the victim opens the PDF in a vulnerable version of Foxit PDF Reader or Foxit PDF Editor, the malicious JBIG2 stream is parsed and triggers the overflow. Code execution occurs in the context of the local user, providing initial access for further post-exploitation activity.

No verified proof-of-concept exploit is publicly available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog at the time of publication.

Detection Methods for CVE-2025-66499

Indicators of Compromise

PDF files containing malformed or oversized JBIG2 image streams with anomalous width, height, or stride values
Unexpected child processes spawned by FoxitPDFReader.exe or FoxitPDFEditor.exe, such as command shells or script interpreters
Crashes of Foxit PDF Reader or Foxit PDF Editor logged in Windows Event Viewer or macOS unified logs immediately after opening a PDF
Outbound network connections initiated by the Foxit process to untrusted hosts following document open events

Detection Strategies

Inspect PDF attachments at the email gateway and web proxy for embedded JBIG2 streams with invalid dimension fields
Monitor endpoints for process lineage anomalies where Foxit binaries spawn cmd.exe, powershell.exe, wscript.exe, or shell processes on macOS
Apply YARA rules targeting malformed JBIG2 segment headers within PDF objects

Monitoring Recommendations

Forward Foxit application crash telemetry and Windows Error Reporting events to a centralized SIEM for correlation
Track file write and process creation events originating from Foxit processes to identify post-exploitation behavior
Alert on PDF documents arriving from external senders that contain large or malformed image streams

How to Mitigate CVE-2025-66499

Immediate Actions Required

Update Foxit PDF Reader and Foxit PDF Editor to the latest version released by Foxit as referenced in the Foxit Security Bulletin
Restrict opening of PDF documents received from untrusted sources until patches are deployed across the environment
Enforce least-privilege user accounts so that successful exploitation does not yield administrative access

Patch Information

Foxit has published remediation guidance in the Foxit Security Bulletin. Administrators should review the bulletin to identify the fixed build numbers for Foxit PDF Reader and Foxit PDF Editor on Windows and macOS, then deploy the updates through enterprise software distribution tooling.

Workarounds

Configure an alternate default PDF handler until Foxit applications are patched in environments where immediate updates are not feasible
Disable automatic preview of PDF attachments in mail clients and file explorers to require explicit user action before parsing
Block inbound PDF attachments at the perimeter when business processes allow, or sandbox PDF rendering in an isolated browser or container

bash

# Example: enumerate installed Foxit versions on Windows endpoints via PowerShell
Get-WmiObject -Class Win32_Product | Where-Object { $_.Vendor -like 'Foxit*' } | Select-Object Name, Version, InstallDate