来源

关联漏洞

描述

CVE-2025-48708 Ghostscript PDF lack of argument sanitization leading to password leakage

介绍

# CVE-2025-48708

## Description

A vulnerability in **Artifex Ghostscript** before version **10.05.1** causes the plaintext password used to protect a PDF file to be embedded in the output. The issue is due to a lack of argument sanitization in `gs_lib_ctx_stash_sanitized_arg` (`base/gslibctx.c`), particularly when handling `#` characters.

When generating a password-protected PDF using command-line arguments like `-sUserPassword` or `-sOwnerPassword`, the entire invocation, including passwords, is stored in cleartext at the beginning of the generated PDF. Anyone with access to the file can retrieve the password using simple tools like `type` (on Windows) or `cat` (on Linux/macOS).

## Steps to Reproduce

1. **Install Ghostscript version 10.05.0 or earlier**    
   [https://github.com/ArtifexSoftware/ghostpdl-downloads](https://github.com/ArtifexSoftware/ghostpdl-downloads)

2. **Generate a password-protected PDF** using a command such as:

   ```cmd
   gswin64.exe -dDisplayFormat=198788 -dDisplayResolution=96 -dCompatibilityLevel#1.4 -sUserPassword#123456789 -sOwnerPassword#123456789 -q -P- -dSAFER -dNOPAUSE -dBATCH -sDEVICE#pdfwrite -sOutputFile#C:\Users\Admin\Downloads\test.pdf

3. Inspect the generated PDF:

   ```cmd
   type C:\Users\Admin\Downloads\test.pdf
You will see the full command-line string, including the plaintext passwords, embedded at the beginning of the file.

## References 
- https://nvd.nist.gov/vuln/detail/CVE-2025-48708
- https://bugs.ghostscript.com/show_bug.cgi?id=708446
- http://www.openwall.com/lists/oss-security/2025/05/23/2
- https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=b587663c623b4462f9e78686a31fd880207303ee

文件快照

 [4.0K]  /data/pocs/14ac4fe9f22587200ecf1b163fae99ab0e48d7ec
└── [1.7K]  README.md

0 directories, 1 file

备注