CVE-2019-5066

Vulnerability

A use-after-free vulnerability exists in Aspose.PDF 19.2 for C++ when processing LZW-compressed streams. The issue occurs in the LZWDecode filter when a malformed Predictor value (e.g., a negative integer) is provided in the DecodeParms dictionary. The PDF specification expects only positive values for Predictor in LZWDecode; a negative value causes the LZW compression object to be freed prematurely, but a dangling pointer remains. This dangling pointer is later used, leading to a use-after-free condition. Affected version: Aspose.PDF 19.2 for C++ [1].

Exploitation

An attacker can exploit this vulnerability by crafting a PDF document containing a stream with an LZWDecode filter and a DecodeParms dictionary that sets Predictor to a negative value. The victim must open or process the malicious PDF using an application that relies on Aspose.PDF 19.2 for C++. No authentication or user interaction beyond opening the file is required. The attack vector is network-based (remote) with low complexity [1].

Impact

Successful exploitation results in a use-after-free condition, which can lead to arbitrary code execution in the context of the application using the library. Given the CVSSv3 score of 9.8 (Critical), the impact on confidentiality, integrity, and availability is high. An attacker could potentially gain full control of the affected system [1].

Mitigation

As of the publication date (2019-09-18), no patch has been released. The vendor, Aspose, was notified and the vulnerability was disclosed by Cisco Talos. Users should monitor for updates from Aspose and apply any fixed version when available. No workaround is documented. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the knowledge cutoff [1].