Allocation of Resources Without Limits or Throttling in pypdf | CVE-2025-55197

Q: How to fix?

Upgrade pypdf to version 6.0.0 or higher.

Introduced: 13 Aug 2025

NewCVE-2025-55197 (opens in a new tab) CWE-770 (opens in a new tab)

How to fix?

Upgrade pypdf to version 6.0.0 or higher.

Overview

pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the decompressed size for the FlateDecode filter. An attacker can cause excessive memory consumption by providing a crafted PDF file containing a series of malicious filters or cross-reference streams.

Note: This is exploitable if the file is read and the affected streams are processed.

Workaround

This vulnerability can be mitigated by including the fixed code from pypdf.filters.decompress into the existing filters file.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
None
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Allocation of Resources Without Limits or Throttling Affecting pypdf package, versions [,6.0.0)

Severity

Do your applications use this vulnerable package?

Snyk Learn