Suggestions search

Dismissed

Filter by:

With package: mupdf-headless

Found 2 matching suggestions

View:

Compact

Detailed

Permalink CVE-2025-71382

7.1 HIGH

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): None (N)
User Interaction (UI): Passive (P)
Vulnerable System Impact Confidentiality (VC): None (N)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): High (H)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Passive (P)
Modified Vulnerable System Impact Confidentiality (MVC): None (N)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): High (H)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

updated 2 days ago by @LeSuisse Activity log

Created suggestion 2 days, 10 hours ago
@LeSuisse dismissed 2 days ago

MuPDF < 1.27.0-rc1 Stack Exhaustion DoS via EPUB CSS Rendering

MuPDF before 1.27.0-rc1 contains an uncontrolled recursion vulnerability in the EPUB CSS rendering engine that allows remote attackers to cause a denial of service by supplying a maliciously crafted EPUB file with deeply nested HTML elements and inline CSS styles. The function value_from_inheritable_property() in css-apply.c recurses through the CSS property inheritance chain without a depth limit, exhausting the process stack and causing a crash in any application using MuPDF for EPUB rendering.

References

https://github.com/ArtifexSoftware/mupdf/releases/tag/1.27.0-rc1 release-notes
https://bugs.ghostscript.com/show_bug.cgi?id=708840 exploittechnical-description
https://github.com/ArtifexSoftware/mupdf/commit/70b71ab22e6de4d4c44cd301c88231f… patch
https://www.vulncheck.com/advisories/mupdf-rc1-stack-exhaustion-dos-via-epub-cs… third-party-advisory

Affected products

mupdf

<1.27.0-rc1

Matching in nixpkgs

pkgs.mupdf

Lightweight PDF, XPS, and E-book viewer and toolkit written in portable C

nixos-unstable 1.27.2
- nixpkgs-unstable 1.27.2
- nixos-unstable-small 1.27.2
nixos-26.05 1.27.2
- nixos-26.05-small 1.27.2
- nixpkgs-26.05-darwin 1.27.2

pkgs.mupdf-headless

Lightweight PDF, XPS, and E-book viewer and toolkit written in portable C

nixos-unstable 1.27.2
- nixpkgs-unstable 1.27.2
- nixos-unstable-small 1.27.2
nixos-26.05 1.27.2
- nixos-26.05-small 1.27.2
- nixpkgs-26.05-darwin 1.27.2

pkgs.python312Packages.pymupdf

None

pkgs.python313Packages.pymupdf

Python bindings for MuPDF's rendering library

nixos-unstable 1.27.2.3
- nixpkgs-unstable 1.27.2.3
- nixos-unstable-small 1.27.2.3
nixos-26.05 1.27.2.3
- nixos-26.05-small 1.27.2.3
- nixpkgs-26.05-darwin 1.27.2.3

pkgs.python314Packages.pymupdf

Python bindings for MuPDF's rendering library

nixos-unstable 1.27.2.3
- nixpkgs-unstable 1.27.2.3
- nixos-unstable-small 1.27.2.3
nixos-26.05 1.27.2.3
- nixos-26.05-small 1.27.2.3
- nixpkgs-26.05-darwin 1.27.2.3

pkgs.python312Packages.pymupdf4llm

None

pkgs.python313Packages.pymupdf4llm

PyMuPDF Utilities for LLM/RAG - converts PDF pages to Markdown format for Retrieval-Augmented Generation

nixos-unstable 0.3.4
- nixpkgs-unstable 0.3.4
- nixos-unstable-small 0.3.4
nixos-26.05 0.3.4
- nixos-26.05-small 0.3.4
- nixpkgs-26.05-darwin 0.3.4

pkgs.python314Packages.pymupdf4llm

PyMuPDF Utilities for LLM/RAG - converts PDF pages to Markdown format for Retrieval-Augmented Generation

nixos-unstable 0.3.4
- nixpkgs-unstable 0.3.4
- nixos-unstable-small 0.3.4
nixos-26.05 0.3.4
- nixos-26.05-small 0.3.4
- nixpkgs-26.05-darwin 0.3.4

pkgs.zathuraPkgs.zathura_pdf_mupdf

Zathura PDF plugin (mupdf)

nixos-unstable 2026.05.10
- nixpkgs-unstable 2026.05.10
- nixos-unstable-small 2026.05.10
nixos-26.05 2026.05.10
- nixos-26.05-small 2026.05.10
- nixpkgs-26.05-darwin 2026.05.10

pkgs.python312Packages.pymupdf-fonts

None

pkgs.python313Packages.pymupdf-fonts

Collection of optional fonts for PyMuPDF

nixos-unstable 1.0.5
- nixpkgs-unstable 1.0.5
- nixos-unstable-small 1.0.5
nixos-26.05 1.0.5
- nixos-26.05-small 1.0.5
- nixpkgs-26.05-darwin 1.0.5

pkgs.python314Packages.pymupdf-fonts

Collection of optional fonts for PyMuPDF

nixos-unstable 1.0.5
- nixpkgs-unstable 1.0.5
- nixos-unstable-small 1.0.5
nixos-26.05 1.0.5
- nixos-26.05-small 1.0.5
- nixpkgs-26.05-darwin 1.0.5

Package maintainers

@fpletz Franz Pletz <fpletz@fnordicwalking.de>
@sarahec Sarah Clark <seclark@nextquestion.net>
@ryota2357 Ryota Otsuki <contact@ryota2357.com>
@MithicSpirit MithicSpirit <rpc01234@gmail.com>

The stable branch was never impacted

Permalink CVE-2025-15569

7.0 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Local (L)
Attack Complexity (AC): High (H)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): High (H)
Exploit Code Maturity (E): Not Defined (X)
Remediation Level (RL): Official Fix (O)
Report Confidence (RC): Confirmed (C)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): High (H)

updated 4 months, 1 week ago by @LeSuisse Activity log

Created suggestion 4 months, 2 weeks ago
@LeSuisse ignored
10 packages
- python312Packages.pymupdf
- python313Packages.pymupdf
- python314Packages.pymupdf
- python312Packages.pymupdf4llm
- python313Packages.pymupdf4llm
- python314Packages.pymupdf4llm
- zathuraPkgs.zathura_pdf_mupdf
- python312Packages.pymupdf-fonts
- python313Packages.pymupdf-fonts
- python314Packages.pymupdf-fonts
4 months, 1 week ago
@LeSuisse dismissed 4 months, 1 week ago

Artifex MuPDF win_main.c get_system_dpi uncontrolled search path

A flaw has been found in Artifex MuPDF up to 1.26.1 on Windows. The impacted element is the function get_system_dpi of the file platform/x11/win_main.c. This manipulation causes uncontrolled search path. The attack requires local access. The attack is considered to have high complexity. The exploitability is regarded as difficult. Upgrading to version 1.26.2 is sufficient to resolve this issue. Patch name: ebb125334eb007d64e579204af3c264aadf2e244. Upgrading the affected component is recommended.