logo

Database

Asymmetric denial of service - ReDoS In pypdf

Description

pypdf's LZWDecode streams be manipulated to exhaust RAM

Impact

An attacker who uses this vulnerability can craft a PDF which leads to a memory usage of up to 1 GB per stream. This requires parsing the content stream of a page using the LZWDecode filter.

This is a follow up to GHSA-jfx9-29x2-rv3j to align the default limit with the one for zlib.

Patches

This has been fixed in pypdf==6.4.0.

Workarounds

If users cannot upgrade yet, use the line below to overwrite the default in their code:

pypdf.filters.LZW_MAX_OUTPUT_LENGTH = 75_000_000

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-660192. NVD-2025-660193. OSV-2025-660194. GHSA-jfx9-29x2-rv3j5. GHSA-m449-cwjh-6pw76. GCVE-2025-66019

References

1. https://github.com/py-pdf/pypdf/security/advisories/GHSA-jfx9-29x2-rv3j2. https://github.com/py-pdf/pypdf/security/advisories/GHSA-m449-cwjh-6pw73. https://github.com/py-pdf/pypdf/commit/96186725e5e6f237129a58a97cd19204a9ce40b24. https://aydinnyunus.github.io/2025/12/20/cve-2025-66019-pypdf-lzw-dos5. https://github.com/py-pdf/pypdf/releases/tag/6.4.0

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.