CVE-2025-9394 is a use-after-free vulnerability identified in PoDoFo version 1.1.0-dev, specifically within the PdfTokenizer::DetermineDataType function located in the PDF Dictionary Parser component (src/podofo/main/PdfTokenizer.cpp). PoDoFo is an open-source library used for parsing and manipulating PDF files. The vulnerability arises when the function improperly manages memory, leading to a use-after-free condition. This means that after a memory region is freed, the program continues to use it, which can cause undefined behavior including crashes, data corruption, or potentially arbitrary code execution. The vulnerability requires local access to the host system and low privileges (PR:L), does not require user interaction, and has low complexity for an attacker to exploit. The CVSS 4.0 base score is 4.8 (medium severity), reflecting limited impact on confidentiality, integrity, and availability, and the attack vector is local. Although no known exploits are currently in the wild, a proof-of-concept exploit has been published, increasing the risk of exploitation. A patch identified by commit 22d16cb142f293bf956f66a4d399cdd65576d36c has been released to remediate the issue. The vulnerability does not affect the security context or scope beyond the local process, but successful exploitation could lead to application crashes or potential escalation if combined with other vulnerabilities. Since PoDoFo is often integrated into PDF processing tools and applications, any software relying on this library and using the affected version is at risk.

For European organizations, the impact of CVE-2025-9394 depends largely on the extent to which PoDoFo 1.1.0-dev is used within their software stacks. Organizations that utilize PoDoFo for PDF parsing in internal tools, document management systems, or custom applications may face risks of application instability or denial of service due to crashes triggered by crafted PDF files. Although the vulnerability requires local access and low privileges, it could be leveraged by malicious insiders or through chained attacks involving local code execution. The medium severity score suggests limited direct impact on confidentiality or integrity, but availability could be affected if critical PDF processing services crash. Furthermore, if PoDoFo is embedded in software used in sensitive environments (e.g., financial institutions, government agencies, or healthcare providers), the disruption could have operational consequences. The lack of remote exploitability reduces the risk of widespread attacks but does not eliminate the threat in environments where local access can be gained. European organizations should be aware that the vulnerability could be exploited in targeted attacks or insider threat scenarios.

1. Immediate application of the official patch (commit 22d16cb142f293bf956f66a4d399cdd65576d36c) to all instances of PoDoFo 1.1.0-dev in use is critical. 2. Conduct an inventory of all software and systems using PoDoFo to identify affected versions. 3. Where patching is not immediately feasible, implement strict access controls to limit local user privileges and prevent untrusted users from accessing systems running vulnerable PoDoFo versions. 4. Monitor logs and system behavior for unusual crashes or anomalies in PDF processing applications that could indicate exploitation attempts. 5. Employ application whitelisting and endpoint protection to detect and block exploitation attempts. 6. For development teams, review and harden memory management practices in PDF parsing code to prevent similar vulnerabilities. 7. Educate users and administrators about the risks of opening untrusted PDF files, especially on systems where PoDoFo is used. 8. Consider sandboxing or isolating PDF processing components to limit the impact of potential exploitation.