pdfminer.six 20250506 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the pdfminer.six package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Deserialization of Untrusted Data pdfminer.six is a PDF parser and analyzer Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the `CMapDB._load_data` function. An attacker can execute arbitrary code by crafting a malicious PDF that references a specially crafted pickle file, which is then deserialized without proper validation. Notes: Exploitation of this vulnerability requires an attacker to provide a remote reference to a malicious pickle file at a location accessible to the target system. On Linux-like systems, only files on the filesystem can be resolved, requiring the malicious file to be present on the target system in a location that the attacker already knows On Windows, the malicious file path can include network locations, e.g., WebDAV, SMB. How to fix Deserialization of Untrusted Data? Upgrade `pdfminer.six` to version 20251107 or higher.	[,20251107)
H Deserialization of Untrusted Data pdfminer.six is a PDF parser and analyzer Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the CMap loading process. An attacker can execute arbitrary code with the privileges of the process running the library by placing a malicious `.pickle.gz` file in a directory included in the CMap search path. Note: This is only exploitable if the attacker can write to a directory specified in the `CMAP_PATH` or the default CMap directories used by the process. How to fix Deserialization of Untrusted Data? Upgrade `pdfminer.six` to version 20251107 or higher.	[,20251107)

Vulnerability

Vulnerable Version

Deserialization of Untrusted Data

pdfminer.six is a PDF parser and analyzer

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the CMapDB._load_data function. An attacker can execute arbitrary code by crafting a malicious PDF that references a specially crafted pickle file, which is then deserialized without proper validation.

Notes:

Exploitation of this vulnerability requires an attacker to provide a remote reference to a malicious pickle file at a location accessible to the target system.
On Linux-like systems, only files on the filesystem can be resolved, requiring the malicious file to be present on the target system in a location that the attacker already knows
On Windows, the malicious file path can include network locations, e.g., WebDAV, SMB.

How to fix Deserialization of Untrusted Data?

Upgrade pdfminer.six to version 20251107 or higher.

[,20251107)

Deserialization of Untrusted Data

pdfminer.six is a PDF parser and analyzer

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the CMap loading process. An attacker can execute arbitrary code with the privileges of the process running the library by placing a malicious .pickle.gz file in a directory included in the CMap search path.

Note: This is only exploitable if the attacker can write to a directory specified in the CMAP_PATH or the default CMap directories used by the process.

How to fix Deserialization of Untrusted Data?

Upgrade pdfminer.six to version 20251107 or higher.

[,20251107)

pdfminer.six@20250506 vulnerabilities

PDF parser and analyzer

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically