MEDIUM

GHSA-5hgr-hg42-57jg

pypdf: Inefficient decoding of FlateDecode PNG predictor streams

Details

### Impact An attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream which uses the `/FlateDecode` filter with a PNG predictor.

### Patches This has been fixed in [pypdf==6.12.2](https://github.com/py-pdf/pypdf/releases/tag/6.12.2).

### Workarounds If you cannot upgrade yet, consider applying the changes from PR [#3806](https://github.com/py-pdf/pypdf/pull/3806).

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / pypdf

Introduced in: 0 Fixed in: 6.12.2

Fix pip install --upgrade 'pypdf>=6.12.2'

References

https://github.com/py-pdf/pypdf/security/advisories/GHSA-5hgr-hg42-57jg [WEB]
https://github.com/py-pdf/pypdf/pull/3806 [WEB]
https://github.com/py-pdf/pypdf [PACKAGE]
https://github.com/py-pdf/pypdf/releases/tag/6.12.2 [WEB]