CVE-2025-6655: 
PDF-XChange Editor vulnerability analysis and mitigation

PDF-XChange Editor contains an out-of-bounds read information disclosure vulnerability (CVE-2025-6655) that affects the PRC file parsing functionality. The vulnerability was discovered and reported through the Zero Day Initiative program and was disclosed on June 25, 2025. This security flaw affects installations of PDF-XChange Editor version 10.5.2.395 and requires user interaction, specifically opening a malicious file or visiting a malicious page, to be exploited (ZDI Advisory, Wiz).

The vulnerability stems from improper validation of user-supplied data during the parsing of PRC files, which can result in a read past the end of an allocated object. The issue has been assigned a CVSS v3.0 base score of 3.3 (LOW) with the vector string CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N. The vulnerability is classified as CWE-125 (Out-of-bounds Read) (ZDI Advisory).

When successfully exploited, this vulnerability allows attackers to disclose sensitive information from affected PDF-XChange Editor installations. The vulnerability could potentially be leveraged in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process (ZDI Advisory).

PDF-XChange has released an update (version 10.6.0.396) to address this vulnerability. Users are advised to update to the latest version to mitigate the security risk (Security Bulletin).