Home > Vulnerability Database > CVE-2025-70559

Mend.io Vulnerability Database

CVE-2025-70559

Good to know:

Date: February 2, 2026

pdfminer.six before 20251230 contains an insecure deserialization vulnerability in the CMap loading mechanism. The library uses Python pickle to deserialize CMap cache files without validation. An attacker with the ability to place a malicious pickle file in a location accessible to the application can trigger arbitrary code execution or privilege escalation when the file is loaded by a trusted process. This is caused by an incomplete patch to CVE-2025-64512.

Severity Score

8.2

Related Resources (6)

Url: https://github.com/advisories/GHSA-f83h-ghpp-7wcc

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-70559

Url: https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-f83h-ghpp-7wcc

Url: https://github.com/pdfminer/pdfminer.six

Url: https://github.com/pdfminer/pdfminer.six/commit/b808ee05dd7f0c8ea8ec34bdf394d40e63501086

Url: https://www.mend.io/vulnerability-database/CVE-2025-70559

Severity Score

8.2

Weakness Type (CWE)

Deserialization of Untrusted Data

CWE-502

Improperly Controlled Modification of Dynamically-Determined Object Attributes

CWE-915

Top Fix

Upgrade Version

Upgrade to version pdfminer.six - 20251230;pdfminer.six - 20251230;pdfminer.six - 20251230;https://github.com/pdfminer/pdfminer.six.git - 20251230

Learn More

CVSS v3.1

Base Score:	8.2
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-70559

Good to know:

Date: February 2, 2026

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?