GHSA-f83h-ghpp-7wcc: 
Python vulnerability analysis and mitigation

pdfminer.six, a popular Python library for extracting text and information from PDF files, was found to contain an insecure deserialization vulnerability (GHSA-f83h-ghpp-7wcc) in its CMap loader component. The vulnerability affects versions <= 20250506 and was patched in version 20251107. This security issue allows a low-privileged user to gain root access through unsafe usage of Python's pickle module for CMap file loading (GitHub Advisory).

The vulnerability exists in the pdfminer.six CMap loading functionality (pdfminer/cmapdb.py). The issue stems from loading and deserializing .pickle.gz files using Python's pickle module without proper validation of untrusted data. The vulnerable code is located in the loaddata method where it uses pickle.loads() on untrusted input. The vulnerability has been assigned a CVSS score of 7.8 (High) with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (GitHub Advisory).

If exploited, this vulnerability allows attackers to achieve full code execution as the service user, potentially escalating privileges from user to root. The impact includes potential for persistence and lateral movement within the system. The vulnerability affects confidentiality, integrity, and availability of the system, with all three rated as High in the CVSS metrics (GitHub Advisory).

The vulnerability has been patched in version 20251107 of pdfminer.six. The fix includes implementing path resolution to prevent directory traversal and adding checks to ensure resolved paths are within intended directories (GitHub Commit).