GHSA-wf5f-4jwr-ppcp: 
Python vulnerability analysis and mitigation

A high severity vulnerability (GHSA-wf5f-4jwr-ppcp) was discovered in pdfminer.six affecting versions prior to 20251107. The vulnerability allows arbitrary code execution through crafted PDF input, where the CMapDB.loaddata() function uses unsafe pickle deserialization when processing PDF files (GitHub Advisory).

The vulnerability exists in the CMapDB.loaddata() function which uses pickle.loads() to deserialize pickle files. While these files are intended to be part of the pdfminer.six distribution in the cmap/ directory, a malicious PDF can specify an alternative directory and filename, provided it ends in .pickle.gz. The vulnerability has a CVSS score of 8.6 (High) with vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H, indicating local attack vector, low attack complexity, no privileges required, and user interaction required (GitHub Advisory).

If exploited, this vulnerability allows attackers to execute arbitrary Python code with the permissions of the process running pdfminer.six. The impact severity varies by operating system - Windows systems are more vulnerable as they can specify network locations (WebDAV, SMB), while Linux/MacOS systems require local file access, making exploitation more difficult (GitHub Advisory).

The vulnerability has been patched in version 20251107. The fix implements path resolution checks to prevent directory traversal by verifying that resolved paths are within the intended directory (GitHub Commit).