CVE-2025-0900: 
PDF-XChange Editor vulnerability analysis and mitigation

PDF-XChange Editor contains an out-of-bounds read information disclosure vulnerability in its PDF file parsing functionality. The vulnerability (CVE-2025-0900) was discovered by Rocco Calvi (@TecR0c) and publicly disclosed on February 11, 2025. The issue affects installations of PDF-XChange Editor prior to version 10.4.2.390 (ZDI Advisory, NVD Entry).

The vulnerability stems from the lack of proper validation of user-supplied data during PDF file parsing, which can result in a read past the end of an allocated object. The issue has been assigned a CVSS v3.0 base score of 3.3 (Low) with the vector string AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N. The vulnerability is classified as CWE-125 (Out-of-bounds Read) (ZDI Advisory).

This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. An attacker can potentially leverage this vulnerability in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process (ZDI Advisory).

The vulnerability has been fixed in PDF-XChange Editor version 10.4.2.390. Users are advised to upgrade to this version or later to mitigate the vulnerability (ZDI Advisory).