There is a denial of service vulnerability in MuPDF 1.25.6 and earlier versions. When an attacker runs the "mutool clean poc /dev/null" command, the program will fall into an infinite recursion between the strip_outlines() and strip_outline() functions in pdf-clean-file.c until the stack is exhausted.
See the attachment for the specific POC file, vulnerability cause, reproduction process and repair suggestions.
The vendor (Artifex Software, maintainer of MuPDF) has acknowledged the issue and fixed the bug. The fix has been committed in their official repository.
Here is the public link to the patch / commit provided by the vendor:
https://bugs.ghostscript.com/show_bug.cgi?id=708521
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=0ec7e4d2201bb6df217e01c17396d36297abf9ac
This confirms that the vulnerability has been acknowledged and remediated.
[4.0K] /data/pocs/eb00f2929b18118c0c17507ec60cc63c793397c3
├── [1.4K] mupdf-clean-poc
├── [ 878] README.md
├── [638K] vulnerability cause.doc
└── [517K] vulnerability reproduction process.doc
0 directories, 4 files