CVE-2025-64512: 
Python vulnerability analysis and mitigation

CVE-2025-64512 affects pdfminer.six, a community-maintained fork of PDFMiner used for extracting information from PDF documents. The vulnerability was discovered in versions prior to 20251107, where the software could execute arbitrary code from a malicious pickle file when processing a specially crafted PDF file. The issue was disclosed on November 7, 2025, and affects all versions of pdfminer.six before version 20251107 (GitHub Advisory, NVD).

The vulnerability exists in the CMapDB.loaddata() function which uses pickle.loads() to deserialize pickle files. While these pickle files are intended to be part of the pdfminer.six distribution stored in the cmap/ directory, a malicious PDF can specify an alternative directory and filename as long as the filename ends in .pickle.gz. The vulnerability has been assigned a CVSS v3.1 base score of 8.6 (High) with vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H, indicating local attack vector, low attack complexity, no privileges required, and high impact on confidentiality, integrity, and availability (GitHub Advisory).

If successfully exploited, this vulnerability allows attackers to execute arbitrary Python code with the permissions of the process running pdfminer.six. The impact severity varies by operating system - on Windows systems, exploitation is easier as paths can specify network locations (e.g., WebDAV, SMB), allowing attackers to host malicious pickle files remotely. On Linux-like systems, exploitation is more difficult as it requires the malicious pickle file to be present on the target system in a known location (GitHub Advisory).

The vulnerability has been fixed in pdfminer.six version 20251107. The fix includes implementing proper path validation to prevent directory traversal attacks. Users are strongly recommended to upgrade to this version or later. For Debian 11 (bullseye) users, the fix has been backported to version 20200726-1+deb11u1 (Debian Advisory, GitHub Release).