CVE-2025-59933: 
Linux Debian vulnerability analysis and mitigation

CVE-2025-59933 affects libvips, a demand-driven, horizontally threaded image processing library. The vulnerability was discovered in versions 8.17.1 and below, specifically when libvips is compiled with support for PDF input via poppler. The issue involves a buffer read overflow vulnerability that occurs when parsing the header of a crafted PDF with a page that defines a width but not a height. The vulnerability was disclosed on September 29, 2025, and was patched in version 8.17.2 (GitHub Advisory).

The vulnerability is classified as a Buffer Over-read (CWE-126) with a CVSS v4.0 score of 5.1 (Medium). The technical assessment shows that the vulnerability has local attack vector (AV:L), low attack complexity (AC:L), requires no attack requirements (AT:N), needs no privileges (PR:N), and no user interaction (UI:N). The impact metrics indicate low severity for both vulnerable and subsequent system confidentiality, integrity, and availability (VC:L/VI:L/VA:L/SC:L/SI:L/SA:L) (GitHub Advisory).

When exploited, the vulnerability causes a buffer read overflow during the parsing of PDF headers. The processing halts shortly after the buffer read overflow occurs, and no output is generated. Importantly, it is not possible for a consuming application to access the memory area that was overflowed. Users who have compiled libvips without PDF input support or those using PDFium for PDF input are not affected by this vulnerability (GitHub Advisory).

The vulnerability has been patched in libvips version 8.17.2. For those unable to update immediately, two workarounds are available: 1) Block the VipsForeignLoadPdf operation using vipsoperationblockset, which is available in most language bindings, or 2) Set the VIPSBLOCK_UNTRUSTED environment variable at runtime to block all untrusted loaders including PDF input via poppler (GitHub Release, GitHub Advisory).