CVE-2025-0901
Published: 11 February 2025
Description
PDF-XChange Editor Doc Object Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Doc objects. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25372.
Security Summary
CVE-2025-0901 is an out-of-bounds read vulnerability in PDF-XChange Editor, specifically within the handling of Doc objects. The flaw arises from insufficient validation of user-supplied data, allowing a read access past the end of an allocated buffer. This issue affects installations of PDF-XChange Editor and has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), mapped to CWE-125 (Out-of-bounds Read). It was disclosed by the Zero Day Initiative as ZDI-CAN-25372.
Remote attackers can exploit this vulnerability to achieve remote code execution in the context of the current process. Exploitation requires user interaction, such as the target visiting a malicious web page or opening a malicious file. No privileges are needed on the part of the attacker (PR:N), and the attack is straightforward given low complexity (AC:L) over the network (AV:N).
The Zero Day Initiative advisory (ZDI-25-062) details the vulnerability at https://www.zerodayinitiative.com/advisories/ZDI-25-062/. Security practitioners should consult this reference for additional technical details and any recommended mitigations or patches for PDF-XChange Editor.
Details
- CWE(s)