CVE-2025-0904: 
PDF-XChange Editor vulnerability analysis and mitigation

PDF-XChange Editor contains an out-of-bounds read information disclosure vulnerability (CVE-2025-0904) that was discovered and disclosed on January 31, 2025. The vulnerability affects the XPS file parsing functionality in PDF-XChange Editor. This security issue was identified by security researcher Rocco Calvi (@TecR0c) with TecSecurity (ZDI Advisory).

The vulnerability stems from improper validation of user-supplied data during XPS file parsing, which can result in a read past the end of an allocated object. The issue has been assigned a CVSS v3.1 score of 3.3 (Low) with the following vector: AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N. The vulnerability has been patched in version 10.4.2.390 of PDF-XChange Editor (ZDI Advisory).

This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. An attacker can leverage this vulnerability in conjunction with other vulnerabilities to potentially execute arbitrary code in the context of the current process (ZDI Advisory).

The vendor has released version 10.4.2.390 which contains fixes for this vulnerability. Users are advised to upgrade to this version to mitigate the risk. More information about the fix can be found in the vendor's security bulletin (ZDI Advisory).