Description
pypdf is a free and open-source pure-python PDF library. Prior to version 6.0.0, an attacker can craft a PDF which leads to the RAM being exhausted. This requires just reading the file if a series of FlateDecode filters is used on a malicious cross-reference stream. Other content streams are affected on explicit access. This issue has been fixed in 6.0.0. If an update is not possible, a workaround involves including the fixed code from pypdf.filters.decompress into the existing filters file.
CVSS breakdown
CVSS 4.0
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User Interaction
None
Confidentiality (Vulnerable System)
None
Integrity (Vulnerable System)
None
Availability (Vulnerable System)
High
Confidentiality (Subsequent System)
None
Integrity (Subsequent System)
None
Availability (Subsequent System)
None
E
Unchanged
Affected products
- py-pdf / pypdf< 6.0.0 – < 6.0.0
References
- VENDOR_ADVISORYhttps://github.com/py-pdf/pypdf/security/advisories/GHSA-7hfw-26vp-jp8m
- MISChttps://github.com/py-pdf/pypdf/issues/3429
- PATCHhttps://github.com/py-pdf/pypdf/pull/3430
- MISChttps://github.com/py-pdf/pypdf/blob/0dd57738bbdcdb63f0fb43d8a6b3d222b6946595/pypdf/filters.py#L72-L143
- PATCHhttps://github.com/py-pdf/pypdf/releases/tag/6.0.0