CVE-2025-27837

NameCVE-2025-27837
DescriptionAn issue was discovered in Artifex Ghostscript before 10.05.0. Access to arbitrary files can occur through a truncated path with invalid UTF-8 characters, for base/gp_mswin.c and base/winrtsup.cpp.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ghostscript (PTS)bullseye9.53.3~dfsg-7+deb11u7fixed
bullseye (security)9.53.3~dfsg-7+deb11u9fixed
bookworm10.0.0~dfsg-11+deb12u6fixed
bookworm (security)10.0.0~dfsg-11+deb12u7fixed
sid, trixie10.05.0~dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ghostscriptsource(unstable)(not affected)

Notes

- ghostscript <not-affected> (Only impacts codepaths relevant for Windows builds)
https://bugs.ghostscript.com/show_bug.cgi?id=708238
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=dbb9f2b11f820697e77863523a8d835ab040e5d1 (ghostpdl-10.05.0)

Search for package or bug name: Reporting problems