CVE-2025-57248: 
SumatraPDF vulnerability analysis and mitigation

A null pointer dereference vulnerability was discovered in SumatraPDF 3.5.2 during the processing of a crafted .djvu file. When the file is opened, the application crashes inside libmupdf.dll, specifically in the DataPool::has_data() function. The vulnerability was discovered and reported on July 21, 2025, and was assigned CVE-2025-57248 (NVD).

The vulnerability occurs in the DataPool::has_data() function within libmupdf.dll. The root cause is a null pointer dereference that happens when processing malformed DjVu files. The vulnerable execution path follows DjVuFile::init() → DataPool::create() → DataPool::connect() → DataPool::has_data(), which is triggered during recursive chunk processing when the internal pointer is unexpectedly null. The CVSS v3.1 base score for this vulnerability is 7.3 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L (NVD, GitHub Issue).

When exploited, this vulnerability causes the application to crash due to the null pointer dereference. The vulnerability has been classified with CWE-476 (NULL Pointer Dereference) and can lead to denial of service conditions when processing specially crafted DjVu files (NVD).