CVE-2025-55197 | THREATINT

Description

pypdf is a free and open-source pure-python PDF library. Prior to version 6.0.0, an attacker can craft a PDF which leads to the RAM being exhausted. This requires just reading the file if a series of FlateDecode filters is used on a malicious cross-reference stream. Other content streams are affected on explicit access. This issue has been fixed in 6.0.0. If an update is not possible, a workaround involves including the fixed code from pypdf.filters.decompress into the existing filters file.

PUBLISHED Reserved 2025-08-08 | Published 2025-08-13 | Updated 2025-08-14 | Assigner GitHub_M

MEDIUM: 6.6CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

Problem types

CWE-400: Uncontrolled Resource Consumption

CWE-770: Allocation of Resources Without Limits or Throttling

Product status

< 6.0.0

affected

References

github.com/.../pypdf/security/advisories/GHSA-7hfw-26vp-jp8m

github.com/py-pdf/pypdf/issues/3429

github.com/py-pdf/pypdf/pull/3430

github.com/...cdb63f0fb43d8a6b3d222b6946595/pypdf/filters.py

github.com/py-pdf/pypdf/releases/tag/6.0.0

cve.org (CVE-2025-55197)

nvd.nist.gov (CVE-2025-55197)

Download JSON