CVE-2025-55780: 
NixOS vulnerability analysis and mitigation

A null pointer dereference vulnerability was discovered in MuPDF version 1.26.4 and earlier versions, identified as CVE-2025-55780. The vulnerability occurs in the break_word_for_overflow_wrap() function when rendering malformed EPUB documents. The function calls fz_html_split_flow() to split a FLOW_WORD node but fails to validate node->next before accessing node->next->overflow_wrap, resulting in a crash if the split operation fails or returns a partial node chain. The vulnerability was discovered on August 4, 2025, and was fixed in September 2025 (Bugzilla).

The vulnerability is caused by improper handling of right-to-left text clusters in the HTML layout functionality. When processing a single flow node that is too large for the available width with 'overflow-wrap:break-word' CSS style, the code attempts to break the node into smaller pieces. For right-to-left text, clusters appear in unexpected order, causing the splitting code to fail, which can result in node->next being NULL and subsequent NULL pointer dereference. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The successful exploitation of this vulnerability results in a Denial-of-Service (DoS) condition through application crash when processing specially crafted EPUB documents. The vulnerability affects the availability of the system but does not impact confidentiality or integrity (Bugzilla).

The vulnerability has been fixed in commit bdd5d241748807378a78a622388e0312332513c5. The fix involves modifying the string handling logic to properly handle right-to-left text and updating the harfbuzz integration to use 'grapheme' cluster mode instead of 'character' cluster mode. Users are advised to upgrade to MuPDF version 1.26.10 or later which includes the fix (Bugzilla).