CVE-2020-19463

Vulnerability

A stack overflow vulnerability exists in the vfprintf function of PDF2JSON version 0.70 (commit b671b64). The issue is triggered when the application processes a malformed PDF file, leading to uncontrolled recursion or excessive stack allocation. The root cause is related to resource allocation without limits (CWE-770) [1].

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted PDF file to PDF2JSON. No authentication or special privileges are required; the attacker only needs the ability to deliver the malicious file (e.g., via a web upload, email attachment, or file share) and have the victim process it with PDF2JSON. The associated proof-of-concept (PoC) file reproduces the crash [2].

Impact

Successful exploitation results in a denial of service (DoS) due to a stack overflow, which typically causes the application to crash with a segmentation fault (SIGSEGV). The CVSS score is not specified in the available references, but the impact is limited to availability (the CIA outcome is a crash) [2].

Mitigation

As of the latest commit (b671b64) in version 0.70, no fix has been released. Users should apply input validation or restrict access to untrusted PDF files. There is no known patch or workaround provided by the vendor. The vulnerability is not listed in the CISA KEV catalog.