Primary

Context

pypdf LZWDecode Filter Memory Exhaustion Vulnerability

Vulnerability

Patched

A denial-of-service vulnerability has been identified in pypdf, a pure-Python PDF library, affecting versions prior to 6.4.0. The issue arises when the LZWDecode filter is used to parse a PDF page's content stream, allowing an attacker to craft a PDF that causes memory usage to spike up to 1 GB per stream. This excessive memory consumption can lead to application instability or crashes.

Impact

Exploitation of this vulnerability can cause significant memory exhaustion, leading to application crashes or instability.

Remediation

Users can upgrade to pypdf version 6.4.0 or later to address this vulnerability. If an immediate upgrade is not possible, the default LZW decoding output length limit can be manually set to 75,000,000 bytes in the code.

Added: Nov 26, 2025, 12:17 AM

Updated: Nov 26, 2025, 12:17 AM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

5.1

remediation

8.3

relevance

1.1

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

2.5

exploitability

5.1

remediation

8.3

relevance

1.1

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

pypdf LZWDecode Filter Memory Exhaustion Vulnerability

Vulnerability

Impact

Remediation

Affected Products

pypdf

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating