Vulnerability Details CVE-2025-59933
libvips is a demand-driven, horizontally threaded image processing library. For versions 8.17.1 and below, when libvips is compiled with support for PDF input via poppler, the pdfload operation is affected by a buffer read overflow when parsing the header of a crafted PDF with a page that defines a width but not a height. Those using libvips compiled without support for PDF input are unaffected as well as thosewith support for PDF input via PDFium. This issue is fixed in version 8.17.2. A workaround for those affected is to block the VipsForeignLoadPdf operation via vips_operation_block_set, which is available in most language bindings, or to set VIPS_BLOCK_UNTRUSTED environment variable at runtime, which will block all untrusted loaders including PDF input via poppler.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 1.5%
CVSS Severity
CVSS v3 Score 7.8
References
Products affected by CVE-2025-59933
-
cpe:2.3:a:libvips:libvips:7.28.0
-
cpe:2.3:a:libvips:libvips:7.30.0
-
cpe:2.3:a:libvips:libvips:8.0
-
cpe:2.3:a:libvips:libvips:8.1
-
cpe:2.3:a:libvips:libvips:8.10.0
-
cpe:2.3:a:libvips:libvips:8.10.1
-
cpe:2.3:a:libvips:libvips:8.10.2
-
cpe:2.3:a:libvips:libvips:8.10.3
-
cpe:2.3:a:libvips:libvips:8.10.4
-
cpe:2.3:a:libvips:libvips:8.10.5
-
cpe:2.3:a:libvips:libvips:8.10.6
-
cpe:2.3:a:libvips:libvips:8.11.0
-
cpe:2.3:a:libvips:libvips:8.11.1
-
cpe:2.3:a:libvips:libvips:8.11.2
-
cpe:2.3:a:libvips:libvips:8.11.3
-
cpe:2.3:a:libvips:libvips:8.11.4
-
cpe:2.3:a:libvips:libvips:8.12.0
-
cpe:2.3:a:libvips:libvips:8.12.1
-
cpe:2.3:a:libvips:libvips:8.12.2
-
cpe:2.3:a:libvips:libvips:8.13.0
-
cpe:2.3:a:libvips:libvips:8.13.1
-
cpe:2.3:a:libvips:libvips:8.13.2
-
cpe:2.3:a:libvips:libvips:8.13.3
-
cpe:2.3:a:libvips:libvips:8.14.0
-
cpe:2.3:a:libvips:libvips:8.14.1
-
cpe:2.3:a:libvips:libvips:8.14.2
-
cpe:2.3:a:libvips:libvips:8.14.3
-
cpe:2.3:a:libvips:libvips:8.14.4
-
cpe:2.3:a:libvips:libvips:8.2.2
-
cpe:2.3:a:libvips:libvips:8.2.3
-
cpe:2.3:a:libvips:libvips:8.3.0
-
cpe:2.3:a:libvips:libvips:8.4.2
-
cpe:2.3:a:libvips:libvips:8.4.6
-
cpe:2.3:a:libvips:libvips:8.5.1
-
cpe:2.3:a:libvips:libvips:8.5.2
-
cpe:2.3:a:libvips:libvips:8.5.3
-
cpe:2.3:a:libvips:libvips:8.5.4
-
cpe:2.3:a:libvips:libvips:8.5.5
-
cpe:2.3:a:libvips:libvips:8.5.6
-
cpe:2.3:a:libvips:libvips:8.5.7
-
cpe:2.3:a:libvips:libvips:8.5.8
-
cpe:2.3:a:libvips:libvips:8.5.9
-
cpe:2.3:a:libvips:libvips:8.6.0
-
cpe:2.3:a:libvips:libvips:8.6.1
-
cpe:2.3:a:libvips:libvips:8.6.2
-
cpe:2.3:a:libvips:libvips:8.6.3
-
cpe:2.3:a:libvips:libvips:8.6.4
-
cpe:2.3:a:libvips:libvips:8.6.5
-
cpe:2.3:a:libvips:libvips:8.7.0
-
cpe:2.3:a:libvips:libvips:8.7.1
-
cpe:2.3:a:libvips:libvips:8.7.2
-
cpe:2.3:a:libvips:libvips:8.7.3
-
cpe:2.3:a:libvips:libvips:8.7.4
-
cpe:2.3:a:libvips:libvips:8.8.0
-
cpe:2.3:a:libvips:libvips:8.8.1
-
cpe:2.3:a:libvips:libvips:8.8.2
-
cpe:2.3:a:libvips:libvips:8.8.3
-
cpe:2.3:a:libvips:libvips:8.8.4
-
cpe:2.3:a:libvips:libvips:8.9.0
-
cpe:2.3:a:libvips:libvips:8.9.1
-
cpe:2.3:a:libvips:libvips:8.9.2