CVE-2025-0909
Published: 11 February 2025
Description
PDF-XChange Editor XPS File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XPS files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-25678.
Security Summary
CVE-2025-0909 is an out-of-bounds read information disclosure vulnerability in the XPS file parsing component of PDF-XChange Editor. The flaw arises from a lack of proper validation of user-supplied data, resulting in a read past the end of an allocated object. Published on 2025-02-11, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is classified under CWE-125.
Remote attackers can exploit this vulnerability by inducing a target user to visit a malicious web page or open a malicious XPS file using PDF-XChange Editor. Exploitation requires user interaction but enables disclosure of sensitive information on affected installations. Attackers can leverage this issue in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process.
Details on the vulnerability, including mitigation recommendations and patch information, are provided in the Zero Day Initiative advisory ZDI-25-064, available at https://www.zerodayinitiative.com/advisories/ZDI-25-064/. Security practitioners should review this advisory for guidance on addressing the issue.
Details
- CWE(s)