CVE-2025-46206: 
NixOS vulnerability analysis and mitigation

A denial of service vulnerability was discovered in Artifex mupdf versions 1.25.6 and 1.25.5, identified as CVE-2025-46206. The vulnerability was reported on May 10, 2025, and allows a remote attacker to cause a denial of service through infinite recursion in the mutool clean utility when processing specially crafted PDF files containing cyclic /Next references in the outline structure (Ghostscript Bug, NVD).

The vulnerability occurs in the strip_outline() function within pdf-clean-file.c, where processing a PDF file with cyclic /Next references in the outline structure causes infinite recursion between the strip_outlines() and strip_outline() functions until stack exhaustion. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating network accessibility with required user interaction (NVD).

When exploited, the vulnerability results in a denial of service condition by exhausting the stack memory through infinite recursion. This affects the availability of the system running the mupdf utility, particularly when processing maliciously crafted PDF files (Ghostscript Bug).

The vulnerability has been fixed in commit 0ec7e4d2201bb6df217e01c17396d36297abf9ac, which implements a solution to avoid recursive cycles while stripping outlines. Users should upgrade to the patched version when available. The fix was committed on May 10, 2025, by Sebastian Rasmussen (Ghostscript Commit).