CVE-2025-50420: 
NixOS vulnerability analysis and mitigation

An issue in the pdfseparate utility of freedesktop poppler v25.04.0 allows attackers to cause an infinite recursion via supplying a crafted PDF file. This can lead to a Denial of Service (DoS). The vulnerability was discovered on August 4, 2025, and was assigned CVE-2025-50420. The affected component is the pdfseparate utility in freedesktop poppler version 25.04.0 (NVD, AttackerKB).

The vulnerability exists in the PDFDoc processing logic of the pdfseparate utility. The issue occurs when processing crafted '/Annots' dictionaries that reference themselves or each other, leading to infinite recursion in the call chain 'PDFDoc::markAnnotations -> PDFDoc::markPageObjects -> PDFDoc::markObject -> PDFDoc::markDictionary'. The loop detection mechanism fails because it uses dictionary pointer addresses which differ on each fetch(). The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (GitHub POC).

When successfully exploited, this vulnerability can cause a denial of service condition through application hang or crash. The impact is primarily on the availability of the system, as the infinite recursion exhausts the call stack. The vulnerability affects the pdfseparate utility's ability to process PDF files, potentially disrupting PDF processing operations (NVD).

The vulnerability has been fixed in poppler version 25.07.0. Users are advised to upgrade to this version or later. The fix has been committed to the official repository and addresses the infinite recursion issue in the PDFDoc processing logic (GitHub POC).