Improper Validation of Specified Quantity in Input Affecting oxidize-pdf package, versions [,0.5.0)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-OXIDIZEPDF-16734495
- published18 May 2026
- disclosed11 May 2026
- creditbzsanti
Introduced: 11 May 2026
New CVE NOT AVAILABLE CWE-1284 (opens in a new tab)How to fix?
Upgrade oxidize-pdf to version 0.5.0 or higher.
Overview
oxidize-pdf is a Python bindings for oxidize-pdf — generate, parse, split, merge, and manipulate PDF files
Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input via the emission of non-finite color values in the content stream. An attacker can cause PDF viewers to reject the content stream, affected page, or entire document by supplying specially crafted color values such as NaN or infinity, which are not valid PDF numeric tokens and bypass input clamping when constructed directly through public enum variants.
Workaround
This vulnerability can be mitigated by always constructing colors via safe constructors that clamp values, avoiding direct enum construction from untrusted input, and validating color components to ensure they are finite before passing them to the API.