GHSA-jm82-fx9c-mx94MediumDisclosed before NVD

pypdf: Missing stream length values ignore defined limits

Published
June 18, 2026
Last Modified
June 18, 2026

📋 Description

Impact

An attacker who uses this vulnerability can craft a PDF which leads to large memory usage, as MAX_DECLARED_STREAM_LENGTH is sometimes ignored. This requires parsing a content stream without a /Length value.

Patches

This has been fixed in pypdf==6.13.3.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #3871.

🎯 Affected products1

  • pip/pypdf:< 6.13.3

🔗 References (4)