CVE-2013-4472 in Poppler
Summary
by MITRE
The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/11/2026
The vulnerability identified as CVE-2013-4472 represents a critical security flaw in the Xpdf and Poppler document processing libraries that affects systems running operating systems other than Unix. This issue stems from the openTempFile function located in the goo/gfile.cc component of these libraries, which handles temporary file creation and management. The flaw manifests when the software generates temporary files with predictable naming conventions, creating a window of opportunity for local attackers to exploit the system through symbolic link manipulation techniques.
The technical implementation of this vulnerability involves a race condition scenario where an attacker can create symbolic links with the same predictable names that the vulnerable application would generate for temporary files. When the application attempts to open these temporary files, it follows the symbolic links and inadvertently operates on files of the attacker's choosing rather than the intended temporary file. This type of attack falls under the category of symlink-based file overwrite attacks that have been documented in various security frameworks and represents a classic example of insecure temporary file handling practices. The vulnerability is particularly dangerous because it allows arbitrary file overwrite operations, potentially enabling attackers to modify system files, inject malicious code, or escalate privileges within the application's execution context.
The operational impact of CVE-2013-4472 extends beyond simple file overwrite capabilities, as it can be leveraged for privilege escalation and persistent system compromise. When exploited successfully, this vulnerability enables local attackers to manipulate the behavior of applications that depend on Xpdf or Poppler libraries, potentially leading to complete system compromise if the affected applications run with elevated privileges. The attack vector is particularly concerning because it requires minimal privileges and can be executed without user interaction, making it an attractive target for attackers seeking to establish persistent access to systems. This vulnerability has been classified under CWE-377 as "Insecure Temporary File" and aligns with ATT&CK technique T1059.007 for "Command and Scripting Interpreter: JavaScript" when considering the potential for script-based exploitation in document processing environments.
Mitigation strategies for CVE-2013-4472 require immediate attention through software updates and system hardening measures. The most effective solution involves upgrading to versions of Xpdf and Poppler that have patched this vulnerability, specifically versions 0.24.4 and later which implement proper temporary file handling mechanisms. Organizations should also implement temporary workarounds such as disabling the use of vulnerable applications that rely on affected libraries, implementing proper file system permissions, and monitoring for suspicious file creation patterns in temporary directories. Security teams should conduct thorough vulnerability assessments to identify all systems running affected software versions and ensure that automatic update mechanisms are properly configured to prevent exploitation attempts. Additionally, system administrators should review application configurations to ensure that temporary file directories are properly secured with restrictive permissions and that symbolic link creation is restricted in these critical locations to prevent exploitation of similar vulnerabilities in other components.