{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/funstory-ai/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["BabelDOC \u003c= 0.6.2"],"_cs_severities":["critical"],"_cs_tags":["code-execution","deserialization","pdf","python","path-traversal","python","linux","windows"],"_cs_type":"advisory","_cs_vendors":["funstory-ai"],"content_html":"\u003cp\u003eBabelDOC, specifically its vendored PDF parser located at \u003ccode\u003ebabeldoc/pdfminer/cmapdb.py\u003c/code\u003e, is vulnerable to arbitrary code execution (ACE) through insecure pickle deserialization. This vulnerability, identified as a path injection issue, arises when processing CMap files within PDFs. The \u003ccode\u003e_load_data()\u003c/code\u003e method of \u003ccode\u003eCMapDB\u003c/code\u003e does not properly sanitize the CMap name extracted from a PDF. An attacker can craft a PDF with a hex-encoded absolute path (e.g., \u003ccode\u003e/#2Ftmp#2Fattacker#2Fevil\u003c/code\u003e) in the \u003ccode\u003e/Encoding\u003c/code\u003e name. Due to how Python's \u003ccode\u003eos.path.join()\u003c/code\u003e handles absolute paths, the attacker-controlled path will override the legitimate CMap directory, causing BabelDOC to load and deserialize a malicious \u003ccode\u003e.pickle.gz\u003c/code\u003e file placed by the attacker on the local system. This leads to arbitrary Python code execution with the privileges of the BabelDOC process, posing a significant risk to any user or automated pipeline processing untrusted PDF documents.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker prepares a malicious Python pickle payload and writes it to a \u003ccode\u003e.pickle.gz\u003c/code\u003e file in a world-writable location on the victim's filesystem (e.g., \u003ccode\u003e/tmp/malicious.pickle.gz\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a PDF document that includes a Type0 CID font definition with an \u003ccode\u003e/Encoding\u003c/code\u003e name object containing a hex-encoded absolute path pointing to the malicious \u003ccode\u003e.pickle.gz\u003c/code\u003e file (e.g., \u003ccode\u003e/#2Ftmp#2Fmalicious\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe victim's system, running BabelDOC (either via the CLI or an embedded application), processes the attacker's crafted PDF file.\u003c/li\u003e\n\u003cli\u003eBabelDOC's \u003ccode\u003epdfminer\u003c/code\u003e component parses the PDF, and the \u003ccode\u003epsparser\u003c/code\u003e decodes the hex-encoded \u003ccode\u003e/Encoding\u003c/code\u003e name from the font definition into an absolute path string (e.g., \u003ccode\u003e/tmp/malicious\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThis attacker-controlled absolute path is passed to \u003ccode\u003eCMapDB._load_data()\u003c/code\u003e, which constructs a full file path using \u003ccode\u003eos.path.join(trusted_directory, attacker_path + \u0026quot;.pickle.gz\u0026quot;)\u003c/code\u003e. Because \u003ccode\u003eattacker_path\u003c/code\u003e is absolute, \u003ccode\u003eos.path.join()\u003c/code\u003e discards \u003ccode\u003etrusted_directory\u003c/code\u003e, resulting in the path \u003ccode\u003e/tmp/malicious.pickle.gz\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eBabelDOC then attempts to open and decompress this file using \u003ccode\u003egzip.open()\u003c/code\u003e, treating it as a legitimate CMap data file.\u003c/li\u003e\n\u003cli\u003eSubsequently, the contents of the decompressed file are passed to \u003ccode\u003epickle.loads()\u003c/code\u003e, triggering the deserialization of the attacker's malicious Python object.\u003c/li\u003e\n\u003cli\u003eThe arbitrary Python code embedded in the malicious pickle payload is executed with the privileges of the BabelDOC process, leading to system compromise, data exfiltration, or further malicious activity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability leads to Arbitrary Code Execution, meaning an attacker can run any Python code on the affected system. This directly impacts end-users who interact with the \u003ccode\u003ebabeldoc\u003c/code\u003e CLI or any applications integrating its PDF processing capabilities. Automated document processing pipelines, especially those ingesting untrusted PDFs (e.g., translation services, document management systems), are highly susceptible. The attack requires the ability to place a \u003ccode\u003e.pickle.gz\u003c/code\u003e file on a local writable path, which is a common scenario in multi-user systems. Successful exploitation results in full code execution with the privileges of the compromised BabelDOC process, potentially leading to confidentiality breaches, data modification, denial of service, and depending on the environment, privilege escalation or lateral movement across the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade BabelDOC to a patched version immediately to remediate the CVE-candidate vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement strong input validation and sanitization for all PDF inputs processed by BabelDOC, especially for name objects and file paths within the PDF structure.\u003c/li\u003e\n\u003cli\u003eIf immediate patching is not possible, apply the recommended patch to \u003ccode\u003ebabeldoc/pdfminer/cmapdb.py\u003c/code\u003e to correctly validate and restrict paths for CMap loading.\u003c/li\u003e\n\u003cli\u003eMonitor for unexpected file creations in system temporary directories (e.g., \u003ccode\u003e/tmp/\u003c/code\u003e) that end with \u003ccode\u003e.pickle.gz\u003c/code\u003e by processes like \u003ccode\u003epython\u003c/code\u003e or \u003ccode\u003ebabeldoc\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eRestrict BabelDOC's execution environment using sandboxing technologies (e.g., Docker, virtual machines, or least privilege user accounts) to limit potential damage from successful arbitrary code execution.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T19:40:48Z","date_published":"2026-07-10T19:40:48Z","id":"https://feed.craftedsignal.io/briefs/2026-07-babeldoc-cmap-rce/","summary":"An arbitrary code execution vulnerability exists in BabelDOC's vendored PDF parser (`babeldoc/pdfminer/cmapdb.py`) due to insecure deserialization of untrusted pickle data, allowing an attacker to craft a PDF with a specially encoded '/Encoding' name containing an absolute path that bypasses directory restrictions, leading to deserialization and execution of a malicious '.pickle.gz' file on the local filesystem with the privileges of the BabelDOC process.","title":"BabelDOC Arbitrary Code Execution via CMap Pickle Deserialization","url":"https://feed.craftedsignal.io/briefs/2026-07-babeldoc-cmap-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Funstory-Ai","version":"https://jsonfeed.org/version/1.1"}