Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71382

CVE-2025-71382: MuPDF EPUB DoS Vulnerability

CVE-2025-71382 is a denial of service flaw in MuPDF's EPUB CSS rendering engine caused by uncontrolled recursion. Attackers can crash applications by providing crafted EPUB files with deeply nested HTML elements.

Published:

CVE-2025-71382 Overview

CVE-2025-71382 is an uncontrolled recursion vulnerability [CWE-674] in MuPDF before version 1.27.0-rc1. The flaw resides in the EPUB Cascading Style Sheets (CSS) rendering engine. Remote attackers can trigger a denial of service by supplying a crafted EPUB file containing deeply nested HTML elements and inline CSS styles. The function value_from_inheritable_property() in source/html/css-apply.c recurses through the CSS property inheritance chain without a depth limit. This exhausts the process stack and crashes any application using MuPDF for EPUB rendering.

Critical Impact

Any application embedding MuPDF for EPUB rendering can be crashed by opening a single malicious file, disrupting document viewers, conversion pipelines, and e-reader services.

Affected Products

  • MuPDF versions prior to 1.27.0-rc1
  • Applications and libraries embedding vulnerable MuPDF builds for EPUB rendering
  • Document conversion and viewer pipelines linking against Artifex MuPDF

Discovery Timeline

  • 2026-06-23 - CVE-2025-71382 published to the National Vulnerability Database (NVD)
  • 2026-06-23 - Last updated in NVD database

Technical Details for CVE-2025-71382

Vulnerability Analysis

MuPDF parses EPUB documents by walking the HTML element tree and applying CSS property values inherited from ancestor elements. The function value_from_inheritable_property() is responsible for resolving a property by walking up the match chain when the current node either lacks a value or specifies inherit. The original implementation calls itself recursively for each level of the inheritance chain.

An attacker crafts an EPUB file with thousands of nested HTML elements, each carrying inline CSS that forces inheritance lookups. Each lookup adds a new stack frame. When the depth exceeds the host process's stack limit, the process crashes with a stack overflow, terminating the rendering application.

Root Cause

The root cause is the recursive design of value_from_inheritable_property() in source/html/css-apply.c, which has no depth bound. CSS inheritance chains scale linearly with HTML nesting depth in EPUB content, and an attacker fully controls that depth.

Attack Vector

Exploitation requires user interaction: the victim must open a malicious EPUB in an application that uses MuPDF. No authentication is needed, and the file can be delivered over the network through email, web download, or a content distribution platform. The result is a process crash and loss of availability for the rendering service.

c
// Source: https://github.com/ArtifexSoftware/mupdf/commit/70b71ab22e6de4d4c44cd301c88231f623a4e94e
// Patch in source/html/css-apply.c - Bug 708840: Use iteration for value_from_inheritable_property.
 static fz_css_value *
 value_from_inheritable_property(fz_css_match *match, int name)
 {
-	fz_css_value *value = match->value[name];
-	if (match->up)
+	while (match)
 	{
-		if (value && !strcmp(value->data, "inherit"))
-			return value_from_inheritable_property(match->up, name);
-		if (!value)
-			return value_from_inheritable_property(match->up, name);
+		fz_css_value *value = match->value[name];
+		if (value && strcmp(value->data, "inherit") != 0)
+			return value;
+		match = match->up;
 	}
-	return value;
+	return NULL;
 }

The patch replaces self-recursion with an iterative while loop, walking the match->up chain on the heap-allocated structure rather than the process stack. This eliminates stack growth proportional to inheritance depth.

Detection Methods for CVE-2025-71382

Indicators of Compromise

  • Crash reports or core dumps from processes linking libmupdf with stack overflow signatures referencing value_from_inheritable_property or css-apply.c
  • EPUB files with abnormal HTML nesting depth (thousands of nested elements) or oversized inline CSS payloads
  • Repeated, abrupt termination of EPUB viewers, e-reader services, or conversion workers shortly after file ingestion

Detection Strategies

  • Inspect EPUB content at ingestion: parse the contained XHTML and flag documents whose maximum element nesting depth exceeds a sane threshold (for example, 256 levels)
  • Monitor process telemetry for segmentation faults or SIGSEGV events originating from MuPDF-linked binaries
  • Correlate crashes with the filename and source of the EPUB that was processed immediately before termination

Monitoring Recommendations

  • Enable crash reporting and core dump collection for all production services that render EPUB content
  • Track MuPDF library versions across your asset inventory and alert on builds below 1.27.0-rc1
  • Log file metadata (size, depth, originating user) for every EPUB processed by server-side conversion pipelines

How to Mitigate CVE-2025-71382

Immediate Actions Required

  • Upgrade MuPDF to version 1.27.0-rc1 or later in all applications, packages, and container images
  • Rebuild and redeploy any downstream software statically linked against vulnerable MuPDF versions
  • Restrict EPUB ingestion to trusted sources until patching is complete

Patch Information

The fix is implemented in Artifex MuPDF commit 70b71ab and shipped in the MuPDF 1.27.0-rc1 release. The patch refactors value_from_inheritable_property() to iterate over the CSS match chain instead of recursing. Additional context is available in the Ghostscript Bug Report #708840 and the VulnCheck MuPDF RC1 DoS Advisory.

Workarounds

  • Pre-validate EPUB inputs and reject files whose HTML nesting depth exceeds a configured limit
  • Run EPUB rendering in isolated, resource-capped sandboxes so a crash does not affect the host service
  • Disable EPUB support in user-facing viewers where it is not required until the patched MuPDF version is deployed
bash
# Configuration example: verify and pin a patched MuPDF build
mutool -v   # confirm version is >= 1.27.0-rc1

# Debian/Ubuntu: upgrade system packages
sudo apt update && sudo apt install --only-upgrade libmupdf-dev mupdf mupdf-tools

# Build from source against the fixed tag
git clone --recursive https://github.com/ArtifexSoftware/mupdf.git
cd mupdf
git checkout 1.27.0-rc1
make HAVE_X11=no HAVE_GLUT=no prefix=/usr/local install

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.