CVE-2025-46206

MEDIUM

Artifex mupdf <1.25.6-1.25.5 - DoS

Title source: llm

Description

An issue in Artifex mupdf 1.25.6, 1.25.5 allows a remote attacker to cause a denial of service via an infinite recursion in the `mutool clean` utility. When processing a crafted PDF file containing cyclic /Next references in the outline structure, the `strip_outline()` function enters infinite recursion

Exploits (1)

nomisec WRITEUP

by Landw-hub · poc

https://github.com/Landw-hub/CVE-2025-46206

View Code ZIP pw:eip

References (5)

[Product] http://artifex.com

[Product] http://mupdf.com

[Issue Tracking, Third Party Advisory] https://bugs.ghostscript.com/show_bug.cgi?id=708521

[Permissions Required] https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=0ec7e4d2201bb6df217e01c17396d36297abf9ac

[Exploit, Third Party Advisory] https://github.com/Landw-hub/CVE-2025-46206

Scores

CVSS v3 6.5

EPSS 0.0027

EPSS Percentile 50.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-674

Status published

Products (1)

artifex/mupdf < 1.25.6

Published Aug 04, 2025

Tracked Since Feb 18, 2026