CVE-2025-46206
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk32th percentile - higher than 32% of all known CVEs
Summary
An infinite recursion vulnerability was found in Artifex MuPDF versions 1.25.5 and 1.25.6 within the `mutool clean` utility. A remote attacker can cause a denial of service (DoS) by supplying a crafted PDF file with cyclic /Next references in the outline structure.
Risk Assessment
The risk is the potential for a DoS attack on systems using `mutool clean` to process PDF files, which may lead to hangs or resource exhaustion.
Recommendation
It is recommended to upgrade to the latest version of MuPDF that includes a fix for the infinite recursion. Also avoid processing untrusted PDF files with `mutool clean` without prior validation.
Original NVD description (English source)
An issue in Artifex mupdf 1.25.6, 1.25.5 allows a remote attacker to cause a denial of service via an infinite recursion in the `mutool clean` utility. When processing a crafted PDF file containing cyclic /Next references in the outline structure, the `strip_outline()` function enters infinite recursion

