CVE Catalog

CVE-2025-46206

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.40%

32th percentile - higher than 32% of all known CVEs

Summary

An infinite recursion vulnerability was found in Artifex MuPDF versions 1.25.5 and 1.25.6 within the `mutool clean` utility. A remote attacker can cause a denial of service (DoS) by supplying a crafted PDF file with cyclic /Next references in the outline structure.

Risk Assessment

The risk is the potential for a DoS attack on systems using `mutool clean` to process PDF files, which may lead to hangs or resource exhaustion.

Recommendation

It is recommended to upgrade to the latest version of MuPDF that includes a fix for the infinite recursion. Also avoid processing untrusted PDF files with `mutool clean` without prior validation.

Original NVD description (English source)

An issue in Artifex mupdf 1.25.6, 1.25.5 allows a remote attacker to cause a denial of service via an infinite recursion in the `mutool clean` utility. When processing a crafted PDF file containing cyclic /Next references in the outline structure, the `strip_outline()` function enters infinite recursion

Vulnerability data from NVD (NIST) · CISA KEV · EPSS