pypdf Missing Root Object Handling Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in pypdf, a pure-Python PDF library, affecting versions prior to 6.6.0. The issue arises in non-strict reading mode when a PDF file omits the /Root entry in the trailer but includes a large /Size value. This combination can cause the library to process the file for an extended period, effectively creating a performance issue with invalid files.

Impact

Exploitation of this vulnerability can lead to significantly prolonged processing times for PDF files, causing potential application performance degradation or unresponsiveness.

Reproduction

To reproduce this vulnerability, create a PDF file that lacks a /Root entry in the trailer but has a large /Size value. Then, open this file with pypdf in non-strict mode, which is the default setting. The absence of the /Root entry will cause the PdfReader to search for the Root object by accessing each object number up to the limit defined by the /Size value. If the /Size value is large, this can lead to excessive processing times.

Remediation

Users can upgrade to pypdf version 6.6.0 or later, or switch to strict mode when using the PdfReader. For PdfWriter, an explicit strict reader can be used.