CVE-2025-71382 | MuPDF before 1.27.0-rc1 contains an uncontrolled recursion v… | CVSS 6.5 MEDIUM

Description

MuPDF before 1.27.0-rc1 contains an uncontrolled recursion vulnerability in the EPUB CSS rendering engine that allows remote attackers to cause a denial of service by supplying a maliciously crafted EPUB file with deeply nested HTML elements and inline CSS styles. The function value_from_inheritable_property() in css-apply.c recurses through the CSS property inheritance chain without a depth limit, exhausting the process stack and causing a crash in any application using MuPDF for EPUB rendering.

Metadata

CVE ID: CVE-2025-71382
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-23 17:14 UTC
Published: 2026-06-23 17:21 UTC
Last updated: 2026-06-23 17:36 UTC
Primary CWE: CWE-674
Uncontrolled Recursion
Vendor / Product: ArtifexSoftware / mupdf
Sources: cve.org · NVD

Severity & Metrics

6.5 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
ArtifexSoftware	mupdf	—	0 < 1.27.0-rc1

Weakness (CWE)

CWE	Source	Description
CWE-674	cna	Uncontrolled Recursion

CVSS scores (2)

Score	Severity	Version	Source	Vector
7.1	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
6.5	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References (4)