CVE-2025-59801 is a stack-based buffer overflow vulnerability identified in Artifex GhostXPS versions prior to 10.06.0. The flaw exists in the function xps_unpredict_tiff within the source file xpstiff.c. Specifically, the vulnerability arises because the 'samplesperpixel' value, which is part of the TIFF image processing logic, is not properly validated before being used. This lack of validation allows an attacker to craft a malicious XPS (XML Paper Specification) document containing a TIFF image with a manipulated 'samplesperpixel' field. When GhostXPS processes this document, the unchecked value can cause a stack-based buffer overflow, potentially overwriting adjacent memory on the stack. According to the CVSS v3.1 vector, the attack requires local access (AV:L), has low attack complexity (AC:L), requires no privileges (PR:N), and no user interaction (UI:N). The scope is changed (S:C), meaning the vulnerability can affect resources beyond the vulnerable component. The impact is limited to integrity (I:L) with no confidentiality or availability impact. No known exploits are currently in the wild, and no patches have been linked yet. The vulnerability is classified under CWE-121, which corresponds to stack-based buffer overflows, a common and dangerous class of memory corruption bugs that can lead to code execution or application crashes if exploited successfully.

For European organizations, the impact of this vulnerability depends on the deployment of Artifex GhostXPS in their environments. GhostXPS is a software library used for rendering and processing XPS documents, often embedded in document management systems, print servers, or other document processing workflows. A successful exploitation could allow a local attacker or a malicious insider to corrupt the integrity of the application’s memory, potentially leading to application crashes or, in worst cases, arbitrary code execution. Although the CVSS score is medium and the impact is limited to integrity without direct confidentiality or availability compromise, the changed scope indicates that the vulnerability could affect other components or processes relying on GhostXPS. European organizations handling sensitive documents or using GhostXPS in critical infrastructure may face risks of disruption or targeted attacks aiming to manipulate document processing. Since exploitation requires local access, the threat is more relevant to internal threat actors or attackers who have already gained some foothold in the network. The absence of user interaction and privileges needed increases the risk within compromised environments. Given the lack of known exploits, the immediate risk is moderate, but organizations should proactively address the vulnerability to prevent potential escalation.

European organizations should take the following specific mitigation steps: 1) Inventory and identify all systems and applications using Artifex GhostXPS, especially versions prior to 10.06.0. 2) Monitor vendor communications closely for the release of official patches or updates addressing CVE-2025-59801 and apply them promptly once available. 3) Implement strict local access controls and segmentation to limit the ability of untrusted users to execute or process untrusted XPS documents on vulnerable systems. 4) Employ application whitelisting and restrict execution privileges to minimize the risk of local exploitation. 5) Use runtime protections such as stack canaries, DEP (Data Execution Prevention), and ASLR (Address Space Layout Randomization) to reduce the likelihood of successful buffer overflow exploitation. 6) Conduct internal audits and penetration testing focusing on document processing workflows to detect potential exploitation attempts. 7) Educate staff about the risks of opening or processing untrusted XPS documents, even in local environments. 8) Consider deploying intrusion detection systems or endpoint detection and response tools capable of identifying anomalous behavior related to document processing or memory corruption attempts.