Loading
libvips is a demand-driven, horizontally threaded image processing library. For versions 8.17.1 and below, when libvips is compiled with support for PDF input via poppler, the pdfload operation is affected by a buffer read overflow when parsing the header of a crafted PDF with a page that defines a width but not a height. Those using libvips compiled without support for PDF input are unaffected as well as thosewith support for PDF input via PDFium. This issue is fixed in version 8.17.2. A workaround for those affected is to block the VipsForeignLoadPdf operation via vips_operation_block_set, which is available in most language bindings, or to set VIPS_BLOCK_UNTRUSTED environment variable at runtime, which will block all untrusted loaders including PDF input via poppler.
Cite this page
CVE-2025-59933. CVEDatabase.com. Retrieved 1 May 2026. https://cvedatabase.com/cve/CVE-2025-59933
Use CWE-126, Libvips vendor hub and Libvips product page to widen CVE-2025-59933 into its surrounding weakness, vendor, and product context.
Compare it with CVE-2025-29769, CVE-2021-27847 and CVE-2023-40032 for nearby disclosures in the same product family.