Foxit PDF Reader CVE-2025-9329: Brief Summary of PRC Parsing Out-of-Bounds Read RCE

This post provides a brief summary of CVE-2025-9329, a high-severity out-of-bounds read vulnerability in Foxit PDF Reader's PRC file parsing, which can lead to remote code execution. Includes affected versions, technical details, and official patch information.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-09-02

Foxit PDF Reader CVE-2025-9329: Brief Summary of PRC Parsing Out-of-Bounds Read RCE
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Remote attackers can achieve code execution on user systems simply by getting a target to open a malicious PDF. This is the real-world risk posed by CVE-2025-9329, a high-severity vulnerability in Foxit PDF Reader's PRC file parsing logic. Foxit PDF Reader is one of the most widely used alternatives to Adobe Acrobat, with hundreds of millions of users worldwide and a significant presence in enterprise, government, and technical sectors. The PRC format, used for embedding 3D models in PDFs, is a specialized but powerful feature that increases the attack surface for document-based exploits.

Technical Information

CVE-2025-9329 is an out-of-bounds read vulnerability (CWE-125) in the PRC file parsing component of Foxit PDF Reader. The PRC (Product Representation Compact) format allows embedding of 3D data within PDF documents. When Foxit PDF Reader encounters a PDF containing a PRC stream, it invokes a parser responsible for interpreting the 3D model data. The vulnerability is triggered when the parser processes user-supplied PRC data that contains manipulated length or index fields. Due to insufficient validation, the parser may perform a memory read operation that extends past the end of the allocated buffer for the PRC structure. This out-of-bounds read can result in information disclosure or, under certain conditions, enable remote code execution in the context of the current user. Exploitation requires user interaction: the victim must open a malicious PDF or visit a web page that loads such a document. The flaw was reported as ZDI-CAN-26772 by Mat Powell through Trend Micro's Zero Day Initiative. No public proof-of-concept or code snippet is available at this time.

Patch Information

Foxit has released updates to address a related redaction issue in their PDF Editor, which could result in partial redaction under specific conditions. The issue occurs when using the "Search and Redact" or "Smart Redact" features with multi-word search terms containing spaces, and when the text object includes a character larger than the search text. To resolve this, Foxit has released the following versions:

  • PDF Editor v2024.2.3
  • PDF Editor v13.1.3
  • Mac Editor v2024.2.3

Users are advised to update to these versions to ensure complete and accurate redaction of sensitive information. The updates are available for download on Foxit's official website. (foxit.com)

Affected Systems and Versions

CVE-2025-9329 affects Foxit PDF Reader installations that parse PRC streams in PDF documents. The vulnerability is present in all versions prior to the patched releases. Specifically:

  • Foxit PDF Reader for Windows: All versions before 2025.2.0.33046
  • Foxit PDF Reader for Mac: All versions before 2025.2
  • Foxit PDF Editor: All versions before v2024.2.3, v13.1.3, and Mac Editor v2024.2.3

Any configuration that allows parsing of PRC content in PDFs is vulnerable if running these versions.

Vendor Security History

Foxit Software has a history of memory safety issues in its PDF products. Previous vulnerabilities include memory corruption in JavaScript execution and file parsing components, such as CVE-2020-14425 and CVE-2024-28888. Foxit generally responds to vulnerability disclosures with coordinated patch releases, but the recurrence of memory corruption flaws indicates persistent challenges in secure parser implementation. Foxit maintains a dedicated security advisory portal and coordinates with external researchers through programs like the Zero Day Initiative.

References

Detect & fix
what others miss