LOW 3.3

GHSA-248m-82v9-q6g6

pypdf: Possible long runtimes for zero-only width values in cross-reference streamsuntimes for zero-only width values in cross-reference streams

Details

### Impact

An attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with `/W [0 0 0]` values and large `/Size` values.

### Patches

This has been fixed in [pypdf==6.12.0](https://github.com/py-pdf/pypdf/releases/tag/6.12.0).

### Workarounds

If developers are unable to upgrade their apps immediately, they should consider applying the changes from PR [#3791](https://github.com/py-pdf/pypdf/pull/3791).

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / pypdf

Introduced in: 0 Fixed in: 6.12.0

Fix pip install --upgrade 'pypdf>=6.12.0'

References

https://github.com/py-pdf/pypdf/security/advisories/GHSA-248m-82v9-q6g6 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2026-48156 [ADVISORY]
https://github.com/py-pdf/pypdf/pull/3791 [WEB]
https://github.com/py-pdf/pypdf/commit/507d7c9aa6ea83389b954b9c3c0c528fe5d5da70 [WEB]
https://github.com/py-pdf/pypdf [PACKAGE]
https://github.com/py-pdf/pypdf/releases/tag/6.12.0 [WEB]