[Security] weave==0.52.17 ships vulnerable pdfminer.six==20240706 (CVE-2025-64512) via polyfile-weave

[ANI717]

weave version 0.52.17 depends on the polyfile-weave package, which in turn pins pdfminer.six==20240706. This version of pdfminer.six is affected by CVE-2025-64512, a vulnerability that can lead to arbitrary code execution when processing a maliciously crafted PDF.

As a result, any Weave usage path that exercises polyfile-weave's PDF parsing on untrusted input may be exploitable.

[Alea4jacta6est]

any news on this?

[andrewtruong]

Hey, we're aware of this and are pending the upstream to resolve this here:
pdfminer/pdfminer.six#1172

[kenwoodjw]

seems need to upgrade polyfile-weave