CVE-2025-48708 Ghostscript PDF lack of argument sanitization leading to password leakage# CVE-2025-48708
## Description
A vulnerability in **Artifex Ghostscript** before version **10.05.1** causes the plaintext password used to protect a PDF file to be embedded in the output. The issue is due to a lack of argument sanitization in `gs_lib_ctx_stash_sanitized_arg` (`base/gslibctx.c`), particularly when handling `#` characters.
When generating a password-protected PDF using command-line arguments like `-sUserPassword` or `-sOwnerPassword`, the entire invocation, including passwords, is stored in cleartext at the beginning of the generated PDF. Anyone with access to the file can retrieve the password using simple tools like `type` (on Windows) or `cat` (on Linux/macOS).
## Steps to Reproduce
1. **Install Ghostscript version 10.05.0 or earlier**
[https://github.com/ArtifexSoftware/ghostpdl-downloads](https://github.com/ArtifexSoftware/ghostpdl-downloads)
2. **Generate a password-protected PDF** using a command such as:
```cmd
gswin64.exe -dDisplayFormat=198788 -dDisplayResolution=96 -dCompatibilityLevel#1.4 -sUserPassword#123456789 -sOwnerPassword#123456789 -q -P- -dSAFER -dNOPAUSE -dBATCH -sDEVICE#pdfwrite -sOutputFile#C:\Users\Admin\Downloads\test.pdf
3. Inspect the generated PDF:
```cmd
type C:\Users\Admin\Downloads\test.pdf
You will see the full command-line string, including the plaintext passwords, embedded at the beginning of the file.
## References
- https://nvd.nist.gov/vuln/detail/CVE-2025-48708
- https://bugs.ghostscript.com/show_bug.cgi?id=708446
- http://www.openwall.com/lists/oss-security/2025/05/23/2
- https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=b587663c623b4462f9e78686a31fd880207303ee
[4.0K] /data/pocs/14ac4fe9f22587200ecf1b163fae99ab0e48d7ec
└── [1.7K] README.md
0 directories, 1 file