GHSA-jm82-fx9c-mx94MediumDisclosed before NVD
pypdf: Missing stream length values ignore defined limits
📋 Description
Impact
An attacker who uses this vulnerability can craft a PDF which leads to large memory usage, as MAX_DECLARED_STREAM_LENGTH is sometimes ignored. This requires parsing a content stream without a /Length value.
Patches
This has been fixed in pypdf==6.13.3.
Workarounds
If you cannot upgrade yet, consider applying the changes from PR #3871.
🎯 Affected products1
- pip/pypdf:< 6.13.3