CVE-2025-55780 is a high-severity vulnerability identified in MuPDF version 1.26.4, a lightweight PDF and document rendering library widely used for viewing and processing PDF, EPUB, and other document formats. The vulnerability arises from a null pointer dereference in the function break_word_for_overflow_wrap(), which is involved in rendering EPUB documents. Specifically, this function calls fz_html_split_flow() to split a FLOW_WORD node within the document's internal representation. However, it fails to verify whether node->next is valid before accessing node->next->overflow_wrap. If the split operation fails or returns a partial node chain, this results in dereferencing a null pointer, causing the application to crash. This crash leads to a denial-of-service (DoS) condition when processing a malformed EPUB document. The vulnerability does not impact confidentiality or integrity but severely affects availability by crashing the rendering process. The CVSS v3.1 score is 7.5 (high), reflecting the network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality or integrity impact (C:N/I:N), and high availability impact (A:H). No known exploits are currently in the wild, and no patches have been linked yet. The root cause aligns with CWE-476 (NULL Pointer Dereference), a common programming error that can lead to application crashes and potential DoS attacks. Since MuPDF is often embedded in various document viewers and software, this vulnerability could be triggered remotely by processing a crafted EPUB file, making it a significant risk in environments where EPUB rendering is enabled.

For European organizations, the primary impact of CVE-2025-55780 is denial of service in applications or services that utilize MuPDF 1.26.4 or similar vulnerable versions to render EPUB documents. This could affect e-book readers, document management systems, content delivery platforms, and any internal tools that process EPUB files. The DoS condition could disrupt business operations, cause service outages, or degrade user experience, especially in sectors relying on digital document workflows such as publishing, education, and government. Although the vulnerability does not allow code execution or data compromise, repeated crashes could be exploited to degrade service availability or as part of a larger attack chain. European organizations with automated document processing pipelines or public-facing document viewers are at risk of receiving maliciously crafted EPUB files that trigger this crash. The lack of required privileges and user interaction increases the risk of exploitation. Additionally, organizations that distribute EPUB content or provide EPUB rendering capabilities in their software products must urgently assess and remediate this vulnerability to maintain service reliability and compliance with operational continuity standards.

1. Immediate mitigation involves updating MuPDF to a patched version once available from the vendor or community. Since no patch links are currently provided, organizations should monitor official MuPDF repositories and security advisories for updates addressing this issue. 2. As a temporary workaround, disable EPUB rendering functionality in applications using MuPDF if feasible, especially in environments where EPUB processing is not critical. 3. Implement input validation and filtering to detect and block malformed or suspicious EPUB files before they reach the rendering engine. 4. Employ application-level sandboxing or process isolation for document rendering components to contain crashes and prevent broader system impact. 5. Monitor logs and application behavior for unexpected crashes or service interruptions related to document rendering. 6. For organizations developing software with MuPDF integration, review and enhance error handling around node processing to prevent null pointer dereferences. 7. Educate users and administrators about the risks of opening untrusted EPUB files, particularly from unknown sources. 8. Incorporate this vulnerability into vulnerability management and incident response plans to ensure timely detection and remediation.