UNKNOWN PyPI
pypdf can exhaust RAM via manipulated LZWDecode streams
GHSA-jfx9-29x2-rv3j · CVE-2025-62708
Published · Modified
Description
Impact
An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream of a page using the LZWDecode filter.
Patches
This has been fixed in pypdf==6.1.3.
Workarounds
If you cannot upgrade yet, consider applying the changes from PR #3502.
References
- WEB https://github.com/py-pdf/pypdf/security/advisories/GHSA-jfx9-29x2-rv3j
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-62708
- WEB https://github.com/py-pdf/pypdf/pull/3502
- WEB https://github.com/py-pdf/pypdf/commit/e51d07807ffcdaf18077b9486dadb3dc05b368da
- PACKAGE https://github.com/py-pdf/pypdf
- WEB https://github.com/py-pdf/pypdf/releases/tag/6.1.3
Ready to move
Start Securing
Free, no credit card | First findings in minutes