CVE-2025-62708
Memory Usage vulnerability in pypdf (PyPI)
What is CVE-2025-62708 About?
This vulnerability involves excessive memory consumption when parsing specially crafted PDF files. An attacker can create a PDF designed to cause large memory usage, potentially leading to resource exhaustion. Exploitation requires user interaction with the malicious PDF and is straightforward once the craft is known.
Affected Software
Technical Details
The vulnerability occurs when parsing the content stream of a PDF page, specifically when the LZWDecode filter is applied. An attacker can craft a PDF file containing a compressed stream that, when decompressed using the LZWDecode filter, results in a disproportionately large amount of memory being allocated. This is typically achieved by manipulating the parameters or content within the LZW stream to force the parser into an inefficient or overly expansive memory allocation pattern, leading to high memory usage.
What is the Impact of CVE-2025-62708?
Successful exploitation may allow attackers to cause a denial-of-service condition by exhausting system memory resources, leading to instability or crashing of the application processing the PDF.
What is the Exploitability of CVE-2025-62708?
Exploitation of this vulnerability is of moderate complexity. It requires an attacker to craft a malicious PDF file containing specific content that triggers the memory exhaustion. No authentication is required, as the vulnerability is typically exploited when a target application processes a user-supplied PDF. Access is considered remote if the PDF is delivered via email or web download, or local if directly provided. The primary condition is that the target system processes a PDF with the LZWDecode filter enabled. The risk factors are increased by widespread use of PDF processing libraries that do not properly handle LZWDecode filter outputs.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-62708?
Available Upgrade Options
- pypdf
- <6.1.3 → Upgrade to 6.1.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/py-pdf/pypdf/pull/3502
- https://github.com/py-pdf/pypdf/security/advisories/GHSA-jfx9-29x2-rv3j
- https://github.com/py-pdf/pypdf/releases/tag/6.1.3
- https://github.com/py-pdf/pypdf/pull/3502
- https://github.com/py-pdf/pypdf/security/advisories/GHSA-jfx9-29x2-rv3j
- https://nvd.nist.gov/vuln/detail/CVE-2025-62708
- https://github.com/py-pdf/pypdf/commit/e51d07807ffcdaf18077b9486dadb3dc05b368da
- https://osv.dev/vulnerability/GHSA-jfx9-29x2-rv3j
- https://github.com/py-pdf/pypdf/commit/e51d07807ffcdaf18077b9486dadb3dc05b368da
- https://github.com/py-pdf/pypdf
What are Similar Vulnerabilities to CVE-2025-62708?
Similar Vulnerabilities: CVE-2025-66019 , CVE-2025-55197 , CVE-2022-38448 , CVE-2022-38449 , CVE-2021-39281
