pypdf Denial-of-Service Vulnerability via XMP Metadata Entity Declarations

A denial-of-service vulnerability has been identified in the pypdf library, affecting versions prior to 6.10.0. This vulnerability arises from the library's handling of Extensible Metadata Platform (XMP) metadata, where manipulated entity declarations can lead to excessive memory consumption. An attacker can exploit this issue by crafting a PDF that, when processed, causes significant RAM usage due to the parsing of the XMP metadata.

Impact

Exploitation of this vulnerability can lead to large memory usage, causing a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by creating a PDF file that includes XMP metadata with custom entity declarations. This can be done by embedding entities that expand into large amounts of data, such as 'A' repeated multiple times, which the XMP parser will process, leading to increased memory consumption.

Remediation

Users can upgrade to pypdf version 6.10.0 or later to address this vulnerability. If an immediate upgrade is not possible, the changes from PR #3724 can be applied as a workaround.