Description
MuPDF before 1.27.0-rc1 contains an uncontrolled recursion vulnerability in the EPUB CSS rendering engine that allows remote attackers to cause a denial of service by supplying a maliciously crafted EPUB file with deeply nested HTML elements and inline CSS styles. The function value_from_inheritable_property() in css-apply.c recurses through the CSS property inheritance chain without a depth limit, exhausting the process stack and causing a crash in any application using MuPDF for EPUB rendering.
CVSS breakdown
CVSS 4.0
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User Interaction
Passive
Confidentiality (Vulnerable System)
None
Integrity (Vulnerable System)
None
Availability (Vulnerable System)
High
Confidentiality (Subsequent System)
None
Integrity (Subsequent System)
None
Availability (Subsequent System)
None
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected products
- ArtifexSoftware / mupdf0 – 1.27.0-rc1
References
- PATCHhttps://github.com/ArtifexSoftware/mupdf/releases/tag/1.27.0-rc1
- MISChttps://bugs.ghostscript.com/show_bug.cgi?id=708840
- PATCHhttps://github.com/ArtifexSoftware/mupdf/commit/70b71ab22e6de4d4c44cd301c88231f623a4e94e
- VENDOR_ADVISORYhttps://www.vulncheck.com/advisories/mupdf-rc1-stack-exhaustion-dos-via-epub-css-rendering