pyPdf 6.7.4

Direct Vulnerabilities

Known vulnerabilities in the pyPdf package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Improper Validation of Specified Quantity in Input pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input through the `PdfReader` object stream and xref stream parsers in `pypdf/_reader.py`. An attacker can trigger excessive allocation and recursive page/object processing by supplying a crafted PDF with oversized `/N` or `/Index` values in an object stream or cross-reference stream. This can crash or hang the parser as it tries to read far more entries than the stream contains, preventing the user from opening the document and consuming CPU and memory during parsing. How to fix Improper Validation of Specified Quantity in Input? Upgrade `pypdf` to version 6.10.1 or higher.	[,6.10.1)
M Excessive Iteration pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files Affected versions of this package are vulnerable to Excessive Iteration in the incremental mode for PDF processing. An attacker can cause excessive resource consumption and significantly degrade performance by loading a PDF file with a large trailer `/Size` value. How to fix Excessive Iteration? Upgrade `pypdf` to version 6.10.2 or higher.	[,6.10.2)
M Memory Allocation with Excessive Size Value pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value via the `FlateDecode` method when handling streams with a `/Predictor` value not equal to 1 and large predictor parameters. An attacker can cause excessive memory consumption by crafting a specially formed PDF file. How to fix Memory Allocation with Excessive Size Value? Upgrade `pypdf` to version 6.10.2 or higher.	[,6.10.2)
M Memory Allocation with Excessive Size Value pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value in the `FlateDecode` image processing when handling images with large size values. An attacker can exhaust system memory by crafting a PDF that references an image with manipulated dimensions, leading to resource exhaustion when the file is processed. How to fix Memory Allocation with Excessive Size Value? Upgrade `pypdf` to version 6.10.2 or higher.	[,6.10.2)
M XML Entity Expansion pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files Affected versions of this package are vulnerable to XML Entity Expansion when parsing XMP metadata. An attacker can cause excessive memory consumption with excessive DOCTYPE entity declarations. How to fix XML Entity Expansion? Upgrade `pypdf` to version 6.10.0 or higher.	[,6.10.0)
H Infinite loop pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files Affected versions of this package are vulnerable to Infinite loop in the `read_from_stream` function of `DictionaryObject`. An attacker can cause the application to enter an infinite loop by providing a specially crafted PDF file when the file is read in non-strict mode. Note: This is only exploitable if non-strict mode is enabled. How to fix Infinite loop? Upgrade `pypdf` to version 6.9.2 or higher.	[,6.9.2)
M Inefficient Algorithmic Complexity pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in the decoding process of array-based streams. An attacker can cause excessive resource consumption by crafting a PDF with a large number of entries in an array-based stream. How to fix Inefficient Algorithmic Complexity? Upgrade `pypdf` to version 6.9.1 or higher.	[,6.9.1)
M Allocation of Resources Without Limits or Throttling pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in `read_from_stream()`, when parsing PDF content streams. An attacker can consume excessive memory by providing a content stream with an excessive declared `/Length` value, even if the data length is not excessive. Note: The project maintainers note that "As far as we are aware, this mostly affects reading from buffers of unknown size, as returned by `open("file.pdf", mode="rb")` for example. Passing a file path or a `BytesIO` buffer to pypdf instead does not seem to trigger the vulnerability." How to fix Allocation of Resources Without Limits or Throttling? Upgrade `pypdf` to version 6.8.0 or higher.	[,6.8.0)
M Inefficient Algorithmic Complexity pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity due to the inefficient decoding of ASCIIHexDecode streams. An attacker can cause excessive resource consumption and significantly degrade performance by crafting a PDF that triggers long runtimes in streams using the `/ASCIIHexDecode` filter. How to fix Inefficient Algorithmic Complexity? Upgrade `pypdf` to version 6.7.5 or higher.	[,6.7.5)

Vulnerability

Vulnerable Version

Improper Validation of Specified Quantity in Input

pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files

Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input through the PdfReader object stream and xref stream parsers in pypdf/_reader.py. An attacker can trigger excessive allocation and recursive page/object processing by supplying a crafted PDF with oversized /N or /Index values in an object stream or cross-reference stream. This can crash or hang the parser as it tries to read far more entries than the stream contains, preventing the user from opening the document and consuming CPU and memory during parsing.

How to fix Improper Validation of Specified Quantity in Input?

Upgrade pypdf to version 6.10.1 or higher.

[,6.10.1)

Excessive Iteration

pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files

Affected versions of this package are vulnerable to Excessive Iteration in the incremental mode for PDF processing. An attacker can cause excessive resource consumption and significantly degrade performance by loading a PDF file with a large trailer /Size value.

How to fix Excessive Iteration?

Upgrade pypdf to version 6.10.2 or higher.

[,6.10.2)

Memory Allocation with Excessive Size Value

pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files

Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value via the FlateDecode method when handling streams with a /Predictor value not equal to 1 and large predictor parameters. An attacker can cause excessive memory consumption by crafting a specially formed PDF file.

How to fix Memory Allocation with Excessive Size Value?

Upgrade pypdf to version 6.10.2 or higher.

[,6.10.2)

Memory Allocation with Excessive Size Value

pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files

Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value in the FlateDecode image processing when handling images with large size values. An attacker can exhaust system memory by crafting a PDF that references an image with manipulated dimensions, leading to resource exhaustion when the file is processed.

How to fix Memory Allocation with Excessive Size Value?

Upgrade pypdf to version 6.10.2 or higher.

[,6.10.2)

XML Entity Expansion

pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files

Affected versions of this package are vulnerable to XML Entity Expansion when parsing XMP metadata. An attacker can cause excessive memory consumption with excessive DOCTYPE entity declarations.

How to fix XML Entity Expansion?

Upgrade pypdf to version 6.10.0 or higher.

[,6.10.0)

Infinite loop

pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files

Affected versions of this package are vulnerable to Infinite loop in the read_from_stream function of DictionaryObject. An attacker can cause the application to enter an infinite loop by providing a specially crafted PDF file when the file is read in non-strict mode.

Note:

This is only exploitable if non-strict mode is enabled.

How to fix Infinite loop?

Upgrade pypdf to version 6.9.2 or higher.

[,6.9.2)

Inefficient Algorithmic Complexity

pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files

Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in the decoding process of array-based streams. An attacker can cause excessive resource consumption by crafting a PDF with a large number of entries in an array-based stream.

How to fix Inefficient Algorithmic Complexity?

Upgrade pypdf to version 6.9.1 or higher.

[,6.9.1)

Allocation of Resources Without Limits or Throttling

pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in read_from_stream(), when parsing PDF content streams. An attacker can consume excessive memory by providing a content stream with an excessive declared /Length value, even if the data length is not excessive.

Note: The project maintainers note that "As far as we are aware, this mostly affects reading from buffers of unknown size, as returned by open("file.pdf", mode="rb") for example. Passing a file path or a BytesIO buffer to pypdf instead does not seem to trigger the vulnerability."

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade pypdf to version 6.8.0 or higher.

[,6.8.0)

Inefficient Algorithmic Complexity

pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files

Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity due to the inefficient decoding of ASCIIHexDecode streams. An attacker can cause excessive resource consumption and significantly degrade performance by crafting a PDF that triggers long runtimes in streams using the /ASCIIHexDecode filter.

How to fix Inefficient Algorithmic Complexity?

Upgrade pypdf to version 6.7.5 or higher.

[,6.7.5)

pyPdf@6.7.4

A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically