pypdf has possible long runtimes for missing /Root object with large /Size values

GHSA-4xc4-762w-m6cg · CVE-2026-22690

Published Jan 9, 2026 · Modified Jan 11, 2026

Description

Impact

An attacker who exploits this vulnerability can craft a PDF which leads to possibly long runtimes for actually invalid files. This can be achieved by omitting the /Root entry in the trailer, while using a rather large /Size value. Only the non-strict reading mode is affected.

Patches

This has been fixed in pypdf==6.6.0.

Workarounds

from pypdf import PdfReader, PdfWriter


# Instead of
reader = PdfReader("file.pdf")
# use the strict mode:
reader = PdfReader("file.pdf", strict=True)

# Instead of
writer = PdfWriter(clone_from="file.pdf")
# use an explicit strict reader:
writer = PdfWriter(clone_from=PdfReader("file.pdf", strict=True))

Resources

This issue has been fixed in #3594.

References

WEB https://github.com/py-pdf/pypdf/security/advisories/GHSA-4xc4-762w-m6cg
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-22690
WEB https://github.com/py-pdf/pypdf/pull/3594
WEB https://github.com/py-pdf/pypdf/commit/294165726b646bb7799be1cc787f593f2fdbcf45
PACKAGE https://github.com/py-pdf/pypdf
WEB https://github.com/py-pdf/pypdf/releases/tag/6.6.0

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes