GHSA-f83h-ghpp-7wcc: Insecure Deserialization (pickle) in pdfminer.six CMap Loader — Local Privesc

November 7, 2025 (updated November 15, 2025)

🚀 Overview

This report demonstrates a real-world privilege escalation vulnerability in pdfminer.six due to unsafe usage of Python’s pickle module for CMap file loading. It shows how a low-privileged user can gain root access (or escalate to any service account) by exploiting insecure deserialization in a typical multi-user or server environment.

Click to open external image

🚨 Special Note

This advisory addresses a distinct vulnerability from GHSA-wf5f-4jwr-ppcp (CVE-2025-64512).

References

github.com/advisories/GHSA-f83h-ghpp-7wcc
github.com/pdfminer/pdfminer.six
github.com/pdfminer/pdfminer.six/commit/b808ee05dd7f0c8ea8ec34bdf394d40e63501086
github.com/pdfminer/pdfminer.six/security/advisories/GHSA-f83h-ghpp-7wcc

Code Behaviors & Features

Detect and mitigate GHSA-f83h-ghpp-7wcc with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →