MEDIUM

GHSA-jm82-fx9c-mx94

pypdf: Missing stream length values ignore defined limits

Details

### Impact

An attacker who uses this vulnerability can craft a PDF which leads to large memory usage, as `MAX_DECLARED_STREAM_LENGTH` is sometimes ignored. This requires parsing a content stream without a `/Length` value.

### Patches This has been fixed in [pypdf==6.13.3](https://github.com/py-pdf/pypdf/releases/tag/6.13.3).

### Workarounds If you cannot upgrade yet, consider applying the changes from PR [#3871](https://github.com/py-pdf/pypdf/pull/3871).

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / pypdf

Introduced in: 0 Fixed in: 6.13.3

Fix pip install --upgrade 'pypdf>=6.13.3'

References

https://github.com/py-pdf/pypdf/security/advisories/GHSA-jm82-fx9c-mx94 [WEB]
https://github.com/py-pdf/pypdf/pull/3871 [WEB]
https://github.com/py-pdf/pypdf [PACKAGE]
https://github.com/py-pdf/pypdf/releases/tag/6.13.3 [WEB]