CVE-2025-46206

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-46206
An issue in Artifex mupdf 1.25.6, 1.25.5 allows a remote attacker to cause a denial of service via an infinite recursion in the `mutool clean` utility. When processing a crafted PDF file containing cyclic /Next references in the outline structure, the `strip_outline()` function enters infinite recursion

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
http://artifex.com Product
http://mupdf.com Product
https://bugs.ghostscript.com/show_bug.cgi?id=708521 Issue Tracking Third Party Advisory
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=0ec7e4d2201bb6df217e01c17396d36297abf9ac Permissions Required
https://github.com/Landw-hub/CVE-2025-46206 Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:artifex:mupdf:*:*:*:*:*:*:*:*
History

02 Oct 2025, 17:39

Type Values Removed Values Added
CPE cpe:2.3:a:artifex:mupdf:*:*:*:*:*:*:*:*
References () http://artifex.com - () http://artifex.com - Product
References () http://mupdf.com - () http://mupdf.com - Product
References () https://bugs.ghostscript.com/show_bug.cgi?id=708521 - () https://bugs.ghostscript.com/show_bug.cgi?id=708521 - Issue Tracking, Third Party Advisory
References () https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=0ec7e4d2201bb6df217e01c17396d36297abf9ac - () https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=0ec7e4d2201bb6df217e01c17396d36297abf9ac - Permissions Required
References () https://github.com/Landw-hub/CVE-2025-46206 - () https://github.com/Landw-hub/CVE-2025-46206 - Exploit, Third Party Advisory
First Time Artifex
Artifex mupdf

05 Aug 2025, 17:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 7.5 		v2 : unknown
v3 : 6.5
CWE CWE-400 CWE-674

05 Aug 2025, 14:34

Type Values Removed Values Added
Summary
  • (es) Un problema en Artifex mupdf 1.25.6 y 1.25.5 permite a un atacante remoto provocar una denegación de servicio mediante una recursión infinita en la utilidad `mutool clean`. Al procesar un archivo PDF manipulado que contiene referencias cíclicas a /Next en la estructura del esquema, la función `strip_outline()` entra en una recursión infinita.

04 Aug 2025, 20:15

Type Values Removed Values Added
CWE CWE-400
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.5

04 Aug 2025, 18:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-08-04 18:15

Updated : 2025-10-02 17:39

NVD link : CVE-2025-46206

Mitre link : CVE-2025-46206

CVE.ORG link : CVE-2025-46206

JSON object : View

Products Affected

artifex

  • mupdf
CWE
CWE-674

Uncontrolled Recursion