pypdf Cross-Reference Stream Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in the pypdf library, affecting versions prior to 6.10.1. This vulnerability allows an attacker to craft a PDF that causes prolonged processing times. The issue arises from cross-reference streams containing incorrect large '/Size' values or object streams with erroneous large '/N' values.

Impact

Exploitation of this vulnerability leads to excessive processing times when handling certain PDF files, causing potential application slowdowns or unresponsiveness.

Reproduction

The vulnerability can be reproduced by creating a PDF file that includes cross-reference streams with artificially inflated '/Size' values or object streams with exaggerated '/N' values. When this crafted PDF is processed using a vulnerable version of the pypdf library, it will result in extended runtime delays.

Remediation

Users can upgrade to pypdf version 6.10.1 or later to address this vulnerability. If an immediate upgrade is not possible, the changes from the official patch can be applied manually.