GHSA-jj6c-8h6c-hppx
denial of service vulnerability in pypdf (PyPI)

denial of service No known exploit

What is GHSA-jj6c-8h6c-hppx About?

This is a denial of service vulnerability in `pypdf` that can be triggered by parsing a crafted PDF document. Specifically, PDFs with large, incorrect cross-reference stream sizes or object stream values lead to excessively long runtimes during processing. This can be exploited by an attacker providing a malicious PDF to an application using `pypdf`.

Affected Software

pypdf <6.10.1

Technical Details

The denial of service vulnerability in pypdf (versions prior to 6.10.1) arises when parsing specially crafted PDF documents. An attacker can manipulate PDF structure by providing cross-reference streams with erroneously large /Size values or object streams with incorrectly large /N values. When pypdf attempts to process such malformed PDFs, these inflated size indicators cause the parsing routines to allocate excessive memory or perform an inordinate number of operations. This leads to significantly prolonged execution times, effectively consuming system resources and rendering the application unresponsive, thus constituting a denial of service. The underlying issue is inefficient handling of these specific malformed PDF structures.

What is the Impact of GHSA-jj6c-8h6c-hppx?

Successful exploitation may allow attackers to induce excessively long processing times, potentially leading to resource exhaustion and denial of service for applications processing PDF files.

What is the Exploitability of GHSA-jj6c-8h6c-hppx?

Exploitation involves crafting a malformed PDF file; the complexity is moderate as it requires specific knowledge of PDF internal structures. No authentication is required, and exploitation is typically remote if an application processes untrusted PDF uploads or inputs. Privilege requirements are limited to the ability to supply a PDF document to the vulnerable application. The special conditions include the presence of incorrect large /Size values in cross-reference streams or large /N values in object streams within the PDF. The risk factors are increased for any application that accepts and processes arbitrary PDF files from external sources without prior validation or sanitization, as this provides a direct vector for introducing the malicious payload.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for GHSA-jj6c-8h6c-hppx?

Available Upgrade Options

  • pypdf
    • <6.10.1 → Upgrade to 6.10.1

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to GHSA-jj6c-8h6c-hppx?

Similar Vulnerabilities: CVE-2023-45133 , CVE-2020-13936 , CVE-2021-26291 , CVE-2021-36109 , CVE-2022-35805

All Rights reserved 2025
Privacy Policy