PatchSiren cyber security CVE debrief

CVE-2017-5854 Podofo Project CVE debrief

CVE-2017-5854 is a denial-of-service vulnerability in PoDoFo 0.9.4 tied to a NULL pointer dereference in base/PdfOutputStream.cpp. The NVD record rates it medium severity and classifies the impact as availability-only. In practice, the issue is relevant anywhere PoDoFo is used to open or process untrusted PDF content, especially in workflows where a crafted file may be handled by a user or automated job.

Vendor: Podofo Project
Product: CVE-2017-5854
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-03-01
Original CVE updated: 2026-05-13
Advisory published: 2017-03-01
Advisory updated: 2026-05-13

Who should care

Teams that ship, embed, or operationally depend on PoDoFo 0.9.4 should care, especially document-processing services, desktop applications, conversion pipelines, and security tools that ingest untrusted PDFs or other crafted files.

Technical summary

The NVD record describes a NULL pointer dereference in base/PdfOutputStream.cpp in PoDoFo 0.9.4, triggered by a crafted file and resulting in a crash. The mapped weakness is CWE-476 (NULL Pointer Dereference). NVD’s CVSS v3.0 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, which indicates no confidentiality or integrity impact, high availability impact, and a user-interaction requirement. The source description also says remote attackers can cause a denial of service, so defenders should treat the exploit path as input-driven and file-centric, while relying on the CVSS vector for exposure characteristics.

Defensive priority

Medium. This is a crash/availability issue rather than a code-execution flaw, but it can still disrupt services or workflows that process untrusted files. Prioritize if PoDoFo 0.9.4 is exposed to external content or used in automated ingestion.

Recommended defensive actions

Inventory systems using PoDoFo 0.9.4 and identify any path that processes untrusted files.
Upgrade or patch PoDoFo to a fixed release if available from your vendor or upstream.
If immediate upgrading is not possible, restrict who can submit files for processing and add pre-ingestion controls for untrusted documents.
Monitor document-processing services for unexpected crashes or repeated failures that may indicate malformed-input handling issues.
Validate that any PDF-handling pipeline runs with least privilege and can recover cleanly from parser crashes.

Evidence notes

Primary source: NVD record for CVE-2017-5854, published 2017-03-01 and modified 2026-05-13. The NVD CPE entry identifies PoDoFo 0.9.4 as vulnerable. Supporting references include the Gentoo advisory on 2017-02-01 and OSS-security follow-up references on 2017-02-01 and 2017-02-02. The official record maps the weakness to CWE-476 and gives the CVSS v3.0 vector AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H.

Official resources

CVE-2017-5854 CVE record
CVE.org
CVE-2017-5854 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry

CVE published on 2017-03-01. Supporting advisories referenced in the record appeared on 2017-02-01 and 2017-02-02. The NVD record was later modified on 2026-05-13; that modification date is not the vulnerability date.