pypdf FlateDecode Stream Handling Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in pypdf, a pure-Python PDF library, prior to version 6.0.0. The issue arises when an attacker crafts a PDF that exploits a series of FlateDecode filters on a malicious cross-reference stream, leading to excessive RAM consumption. This vulnerability can be triggered by simply reading the file, and other content streams may be affected with explicit access.

Impact

Exploitation of this vulnerability can cause significant memory exhaustion, potentially leading to application or system instability.

Reproduction

The vulnerability can be reproduced by creating a PDF file that is not fully compliant with the PDF specification but contains nested FlateDecode filters. When this file is processed with pypdf, the library attempts to decompress the entire stream, which can result in over 1 petabyte of zero bytes being unpacked, effectively exhausting the available RAM.

Remediation

Users can upgrade to pypdf version 6.0.0, which addresses this vulnerability by limiting the decompressed size for FlateDecode filters. If an immediate upgrade is not possible, the fixed decompression code can be manually implemented.