SCA: security update for pdfminer.six (GHSA-f83h-ghpp-7wcc)

medium Tenable Cloud Security Plugin ID 435998

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- pdfminer.six before 20251230 contains an insecure deserialization vulnerability in the CMap loading
mechanism. The library uses Python pickle to deserialize CMap cache files without validation. An attacker
with the ability to place a malicious pickle file in a location accessible to the application can trigger
arbitrary code execution or privilege escalation when the file is loaded by a trusted process. This is
caused by an incomplete patch to CVE-2025-64512. (CVE-2025-70559)

See Also

https://github.com/advisories/GHSA-f83h-ghpp-7wcc

Plugin Details

Severity: Medium

ID: 435998

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 11/8/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.1

Percentile: 7.71

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2025-70559

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 11/7/2025

Vulnerability Publication Date: 2/3/2026

Reference Information

CVE: CVE-2025-70559