{"id":"CVE-2025-59933","summary":"libvips is vulnerable to Buffer Over-Read in poppler-based pdfload","details":"libvips is a demand-driven, horizontally threaded image processing library. For versions 8.17.1 and below, when libvips is compiled with support for PDF input via poppler, the pdfload operation is affected by a buffer read overflow when parsing the header of a crafted PDF with a page that defines a width but not a height. Those using libvips compiled without support for PDF input are unaffected as well as thosewith support for PDF input via PDFium. This issue is fixed in version 8.17.2. A workaround for those affected is to block the VipsForeignLoadPdf operation via vips_operation_block_set, which is available in most language bindings, or to set VIPS_BLOCK_UNTRUSTED environment variable at runtime, which will block all untrusted loaders including PDF input via poppler.","aliases":["GHSA-q8px-4w5q-c2r4"],"modified":"2026-04-10T05:32:14.389630Z","published":"2025-09-29T22:04:09.404Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-126"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59933.json"},"references":[{"type":"WEB","url":"https://github.com/libvips/libvips/releases/tag/v8.17.2"},{"type":"WEB","url":"https://www.vicarius.io/vsociety/posts/cve-2025-59933-detect-libvips-vulnerability"},{"type":"WEB","url":"https://www.vicarius.io/vsociety/posts/cve-2025-59933-mitigate-libvips-vulnerability"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59933.json"},{"type":"ADVISORY","url":"https://github.com/libvips/libvips/security/advisories/GHSA-q8px-4w5q-c2r4"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59933"},{"type":"FIX","url":"https://github.com/libvips/libvips/commit/a58bfae9223a5466cc81ba9fe6dfb08233cf17d1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/libvips/libvips","events":[{"introduced":"0"},{"fixed":"0b9ea3a62477f670421868337dfaf13e8aa9d754"}]}],"versions":["v7.28.0","v8.0-beta","v8.1","v8.10.0","v8.10.0-beta1","v8.10.0-beta2","v8.10.0-rc1","v8.10.0-rc2","v8.10.6-beta2","v8.11","v8.11.0","v8.11.0-rc1","v8.12.0","v8.12.0-rc1","v8.13.0","v8.13.0-pre1","v8.13.0-rc1","v8.13.0-rc2","v8.14.0","v8.14.0-rc1","v8.15.0","v8.15.0-rc2","v8.16.0","v8.16.0-rc1","v8.16.0-rc2","v8.17.0","v8.17.0-rc1","v8.17.0-test1","v8.17.0-test2","v8.17.0-test3","v8.17.0-test4","v8.17.1","v8.2.2","v8.3.0","v8.5.1","v8.5.2","v8.5.3","v8.6.0","v8.6.0-alpha1","v8.6.0-alpha2","v8.6.0-beta1","v8.6.0-beta2","v8.7.0","v8.7.0-alpha2","v8.7.0-rc1","v8.7.0-rc2","v8.7.0-rc3","v8.8.0","v8.8.0-rc1","v8.8.0-rc2","v8.8.0-rc3","v8.9.0","v8.9.0-alpha1","v8.9.0-beta1","v8.9.0-beta2","v8.9.0-rc1","v8.9.0-rc2","v8.9.0-rc3","v8.9.0-rc4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59933.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L"}]}