## Vulnerability Key Information ### Vulnerability Overview - **CVE ID**: CVE-2025-64512 - **CVSS v3 Score**: 8.3/10 - **Severity**: High ### Vulnerability Details - **Component**: pdfminer.six CMap loader - **Issue**: Unsafe use of Python's `pickle` module to load and deserialize `.pickle.gz` files when handling untrusted data. - **Exploitability**: If a low-privileged user can write data to directories within `CMAP_PATH`, they can execute code with root or privileged service privileges. - **Impact**: Full code execution under the service user's identity, leading to privilege escalation from user to root, persistence, and potential lateral movement. ### Technical Details - **Vulnerability Type**: Unsafe deserialization of untrusted data - **Attack Prerequisite**: Attacker can write to directories included in the CMAP path. - **Vulnerable Code Location**: ```python return type(str(name), (), pickle.loads(gzfile.read())) ``` This code is located in the `_load_data` method of `pdfminer/cmapdb.py`. ### Proof of Concept - Provides `createEvilPickle.py`, `evilmmod.py`, and `processPDF.py` as proof-of-concept code. ### Exploitation Process 1. **Attacker** uses `createEvilPickle.py` to generate and place a malicious CMap pickle in a shared upload directory. 2. **Root user** runs a normal PDF-processing script that loads CMap files from that directory. 3. The malicious pickled CMap is deserialized, executing arbitrary code with root or privileged service privileges. 4. Attacker gains evidence of code execution with root privileges (`/root/pwnedByPdfminer` file).