CVE-2025-71382

NameCVE-2025-71382
DescriptionMuPDF before 1.27.0-rc1 contains an uncontrolled recursion vulnerability in the EPUB CSS rendering engine that allows remote attackers to cause a denial of service by supplying a maliciously crafted EPUB file with deeply nested HTML elements and inline CSS styles. The function value_from_inheritable_property() in css-apply.c recurses through the CSS property inheritance chain without a depth limit, exhausting the process stack and causing a crash in any application using MuPDF for EPUB rendering.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mupdf (PTS)bullseye1.17.0+ds1-2vulnerable
bullseye (security)1.17.0+ds1-2+deb11u2vulnerable
bookworm, bookworm (security)1.21.1+ds2-1+deb12u1vulnerable
trixie (security), trixie1.25.1+ds1-6+deb13u1vulnerable
forky, sid1.27.0+ds1-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mupdfsource(unstable)1.27.0+ds1-2

Notes

[trixie] - mupdf <no-dsa> (Minor issue)
https://bugs.ghostscript.com/show_bug.cgi?id=708840
Fixed by: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=70b71ab22e6de4d4c44cd301c88231f623a4e94e (1.27.0-rc1)

Search for package or bug name: Reporting problems