Skip to content

chore(deps): update dependency pypdf to v6.10.2 [security]#58

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/pypi-pypdf-vulnerability
Open

chore(deps): update dependency pypdf to v6.10.2 [security]#58
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/pypi-pypdf-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Jan 27, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
pypdf (changelog) 6.6.16.10.2 age confidence

pypdf has possible Infinite Loop when processing outlines/bookmarks

CVE-2026-24688 / GHSA-2q4j-m29v-hq73

More information

Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires accessing the outlines/bookmarks.

Patches

This has been fixed in pypdf 6.6.2.

Workarounds

If projects cannot upgrade yet, consider applying the changes from PR #​3610.

Severity

  • CVSS Score: 5.1 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

pypdf has a possible infinite loop when processing TreeObject

CVE-2026-27024 / GHSA-996q-pr4m-cvgq

More information

Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires accessing the children of a TreeObject, for example as part of outlines.

Patches

This has been fixed in pypdf==6.7.1.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3645.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

pypdf has possible long runtimes/large memory usage for large /ToUnicode streams

CVE-2026-27025 / GHSA-wgvp-vg3v-2xq3

More information

Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to long runtimes and large memory consumption. This requires parsing the /ToUnicode entry of a font with unusually large values, for example during text extraction.

Patches

This has been fixed in pypdf==6.7.1.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3646.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

pypdf possibly has long runtimes for malformed FlateDecode streams

CVE-2026-27026 / GHSA-9mvc-8737-8j8h

More information

Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires a malformed /FlateDecode stream, where the byte-by-byte decompression is used.

Patches

This has been fixed in pypdf==6.7.1.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3644.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

pypdf has a possible infinite loop when loading circular /Prev entries in cross-reference streams

CVE-2026-27628 / GHSA-2rw7-x74f-jg35

More information

Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires reading the file.

Patches

This has been fixed in pypdf==6.7.2.

Workarounds

If users cannot upgrade yet, consider applying the changes from PR #​3655.

Severity

  • CVSS Score: 1.2 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

pypdf: Manipulated FlateDecode XFA streams can exhaust RAM

CVE-2026-27888 / GHSA-x7hp-r3qg-r3cj

More information

Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing the xfa property of a reader or writer and the corresponding stream being compressed using /FlateDecode.

Patches

This has been fixed in pypdf==6.7.3.

Workarounds

If projects cannot upgrade yet, consider applying the changes from PR #​3658.

Severity

  • CVSS Score: 6.6 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

pypdf: Manipulated RunLengthDecode streams can exhaust RAM

CVE-2026-28351 / GHSA-f2v5-7jq9-h8cg

More information

Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream using the RunLengthDecode filter.

Patches

This has been fixed in pypdf==6.7.4.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3664.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

pypdf vulnerable to inefficient decoding of ASCIIHexDecode streams

CVE-2026-28804 / GHSA-9m86-7pmv-2852

More information

Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream which uses the /ASCIIHexDecode filter.

Patches

This has been fixed in pypdf==6.7.5.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3666.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

pypdf: manipulated stream length values can exhaust RAM

CVE-2026-31826 / GHSA-hqmh-ppp3-xvm7

More information

Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing a content stream with a rather large /Length value, regardless of the actual data length inside the stream.

Patches

This has been fixed in pypdf==6.8.0.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3675.

As far as we are aware, this mostly affects reading from buffers of unknown size, as returned by open("file.pdf", mode="rb") for example. Passing a file path or a BytesIO buffer to pypdf instead does not seem to trigger the vulnerability.

Severity

  • CVSS Score: 6.8 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

pypdf has inefficient decoding of array-based streams

CVE-2026-33123 / GHSA-qpxp-75px-xjcp

More information

Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to long runtimes and/or large memory usage. This requires accessing an array-based stream with lots of entries.

Patches

This has been fixed in pypdf==6.9.1.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3686.

Severity

  • CVSS Score: 5.1 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

pypdf: Possible infinite loop during recovery attempts in DictionaryObject.read_from_stream

CVE-2026-33699 / GHSA-87mj-5ggw-8qc3

More information

Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires reading a file in non-strict mode.

Patches

This has been fixed in pypdf==6.9.2.

Workarounds

If users cannot upgrade yet, consider applying the changes from PR #​3693.

Severity

  • CVSS Score: 4.6 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

pypdf: Manipulated XMP metadata entity declarations can exhaust RAM

CVE-2026-40260 / GHSA-3crg-w4f6-42mx

More information

Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the XMP metadata.

Patches

This has been fixed in pypdf==6.10.0.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3724.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

pypdf has long runtimes for wrong size values in cross-reference and object streams

CVE-2026-41168 / GHSA-jj6c-8h6c-hppx

More information

Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with wrong large /Size values or object streams with wrong large /N values.

Patches

This has been fixed in pypdf==6.10.1.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3733.

Severity

  • CVSS Score: 4.8 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

pypdf: Possible long runtimes for wrong size values in incremental mode

CVE-2026-41313 / GHSA-4pxv-j86v-mhcw

More information

Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires loading a PDF with a large trailer /Size value in incremental mode.

Patches

This has been fixed in pypdf==6.10.2.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3735.

Severity

  • CVSS Score: 6.8 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

pypdf: Manipulated FlateDecode predictor parameters can exhaust RAM

CVE-2026-41312 / GHSA-7gw9-cf7v-778f

More information

Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing a stream compressed using /FlateDecode with a /Predictor unequal 1 and large predictor parameters.

Patches

This has been fixed in pypdf==6.10.2.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3734.

Severity

  • CVSS Score: 6.8 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

pypdf: Manipulated FlateDecode image dimensions can exhaust RAM

CVE-2026-41314 / GHSA-x284-j5p8-9c5p

More information

Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing an image using /FlateDecode with large size values.

Patches

This has been fixed in pypdf==6.10.2.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3734.

Severity

  • CVSS Score: 6.8 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

py-pdf/pypdf (pypdf)

v6.10.2

Compare Source

Security (SEC)
  • Do not rely on possibly invalid /Size for incremental cloning (#​3735)
  • Introduce limits for FlateDecode parameters and image decoding (#​3734)

Full Changelog

v6.10.1

Compare Source

Security (SEC)
  • Do not rely on possibly invalid /Size for incremental cloning (#​3735)
  • Introduce limits for FlateDecode parameters and image decoding (#​3734)

Full Changelog

v6.10.0

Compare Source

Security (SEC)
  • Limit the allowed size of xref and object streams (#​3733)
Robustness (ROB)
  • Consider strict mode setting for decryption errors (#​3731)
Documentation (DOC)
  • Use new parameter names for compress_identical_objects

Full Changelog

v6.9.2

Compare Source

Security (SEC)
  • Avoid infinite loop in read_from_stream for broken files (#​3693)
Robustness (ROB)
  • Resolve UnboundLocalError for xobjs in _get_image (#​3684)

Full Changelog

v6.9.1

Compare Source

Security (SEC)
  • Avoid infinite loop in read_from_stream for broken files (#​3693)
Robustness (ROB)
  • Resolve UnboundLocalError for xobjs in _get_image (#​3684)

Full Changelog

v6.9.0

Compare Source

Security (SEC)
  • Improve performance and limit length of array-based content streams (#​3686)

Full Changelog

v6.8.0

Compare Source

New Features (ENH)
  • Expose /Perms verification result on Encryption object (#​3672)
Performance Improvements (PI)
  • Fix O(n²) performance in NameObject read/write (#​3679)
  • Batch-parse all objects in ObjStm on first access (#​3677)
Bug Fixes (BUG)
  • Avoid sharing array-based content streams between pages (#​3681)
  • Avoid accessing invalid page when inserting blank page under some conditions (#​3529)

Full Changelog

v6.7.5

Compare Source

Security (SEC)
  • Limit allowed /Length value of stream (#​3675)
New Features (ENH)
  • Add /IRT (in-reply-to) support for markup annotations (#​3631)
Documentation (DOC)
  • Avoid using PageObject.replace_contents on PdfReader (#​3669)
  • Document how to disable jbig2dec calls

Full Changelog

v6.7.4

Compare Source

Security (SEC)
  • Improve the performance of the ASCIIHexDecode filter (#​3666)

Full Changelog

v6.7.3

Compare Source

Security (SEC)
  • Allow limiting output length for RunLengthDecode filter (#​3664)
Robustness (ROB)
  • Deal with invalid annotations in extract_links (#​3659)

Full Changelog

v6.7.2

Compare Source

Security (SEC)
  • Use zlib decompression limit when retrieving XFA data (#​3658)

Full Changelog

v6.7.1

Compare Source

Security (SEC)
  • Prevent infinite loop from circular xref /Prev references (#​3655)
Bug Fixes (BUG)
  • Fix wrong LUT size error (#​3651)
  • Fix handling of page boxes defined on /Pages (#​3650)

Full Changelog

v6.7.0

Compare Source

Security (SEC)
  • Detect cyclic references when accessing TreeObject.children (#​3645)
  • Limit size of /ToUnicode entries (#​3646)
  • Limit FlateDecode recovery attempts (#​3644)
Bug Fixes (BUG)
  • Avoid own object replacement logic in PageObject.replace_contents (#​3638)
  • Fix UnboundLocalError when update_page_form_field_values with /Sig (#​3634)
Robustness (ROB)
  • Avoid divison by zero when decoding FlateDecode PNG prediction (#​3641)

Full Changelog

v6.6.2

Compare Source

Deprecations (DEP)
  • Deprecate support for abbreviations in decode_stream_data (#​3617)
New Features (ENH)
  • Add ability to add font resources for 14 Adobe Core fonts in text widget annotations (#​3624)
Bug Fixes (BUG)
  • Avoid invalid load for ICCBased FlateDecode images in mode 1 (#​3619)
Robustness (ROB)
  • Fix AESV2 decryption when /Length missing in encrypt dict (#​3629)
  • Fix merging when annotations point to NullObject (#​3613)
  • Check for self._info being None in compress_identical_objects (#​3612)

Full Changelog

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jan 27, 2026
edited
Loading

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 1 package(s) with unknown licenses.
See the Details below.

License Issues

poetry.lock

PackageVersionLicenseIssue Type
pypdf6.11.0NullUnknown License

OpenSSF Scorecard

PackageVersionScoreDetails
pip/pypdf 6.11.0 UnknownUnknown

Scanned Files

  • poetry.lock

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jan 27, 2026
edited
Loading

Test Results (Python 3.14)

183 tests  ±0   183 ✅ ±0   17s ⏱️ -1s
  1 suites ±0     0 💤 ±0 
  1 files   ±0     0 ❌ ±0 

Results for commit 1865d0d. ± Comparison against base commit b1fd94d.

♻️ This comment has been updated with latest results.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jan 27, 2026

Coverage report

This PR does not seem to contain any modification to coverable code.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jan 27, 2026
edited
Loading

Combined Test Results

  5 files  ±0    5 suites  ±0   1m 11s ⏱️ -1s
183 tests ±0  183 ✅ ±0  0 💤 ±0  0 ❌ ±0 
915 runs  ±0  915 ✅ ±0  0 💤 ±0  0 ❌ ±0 

Results for commit 1865d0d. ± Comparison against base commit b1fd94d.

♻️ This comment has been updated with latest results.

@renovate renovate Bot force-pushed the renovate/pypi-pypdf-vulnerability branch from 7f8a320 to 008e839 Compare February 12, 2026 17:42
@renovate renovate Bot force-pushed the renovate/pypi-pypdf-vulnerability branch from 008e839 to b18307d Compare February 19, 2026 22:12
@renovate renovate Bot changed the title chore(deps): update dependency pypdf to v6.6.2 [security] chore(deps): update dependency pypdf to v6.7.1 [security] Feb 19, 2026
@renovate renovate Bot changed the title chore(deps): update dependency pypdf to v6.7.1 [security] chore(deps): update dependency pypdf to v6.7.2 [security] Feb 25, 2026
@renovate renovate Bot force-pushed the renovate/pypi-pypdf-vulnerability branch from b18307d to b30c152 Compare February 25, 2026 18:16
@renovate renovate Bot changed the title chore(deps): update dependency pypdf to v6.7.2 [security] chore(deps): update dependency pypdf to v6.7.3 [security] Feb 27, 2026
@renovate renovate Bot force-pushed the renovate/pypi-pypdf-vulnerability branch from b30c152 to 6050056 Compare February 27, 2026 21:36
@renovate renovate Bot changed the title chore(deps): update dependency pypdf to v6.7.3 [security] chore(deps): update dependency pypdf to v6.7.4 [security] Mar 2, 2026
@renovate renovate Bot force-pushed the renovate/pypi-pypdf-vulnerability branch from 6050056 to a822a2c Compare March 3, 2026 14:10
@renovate renovate Bot changed the title chore(deps): update dependency pypdf to v6.7.4 [security] chore(deps): update dependency pypdf to v6.7.5 [security] Mar 3, 2026
@renovate renovate Bot changed the title chore(deps): update dependency pypdf to v6.7.5 [security] chore(deps): update dependency pypdf to v6.8.0 [security] Mar 11, 2026
@renovate renovate Bot force-pushed the renovate/pypi-pypdf-vulnerability branch from a822a2c to d5e24f9 Compare March 11, 2026 04:09
@renovate renovate Bot force-pushed the renovate/pypi-pypdf-vulnerability branch from d5e24f9 to fcdd0b4 Compare March 19, 2026 01:20
@renovate renovate Bot changed the title chore(deps): update dependency pypdf to v6.8.0 [security] chore(deps): update dependency pypdf to v6.9.1 [security] Mar 19, 2026
@renovate renovate Bot force-pushed the renovate/pypi-pypdf-vulnerability branch from fcdd0b4 to d4c1138 Compare March 25, 2026 22:13
@renovate renovate Bot changed the title chore(deps): update dependency pypdf to v6.9.1 [security] chore(deps): update dependency pypdf to v6.9.2 [security] Mar 25, 2026
@renovate renovate Bot changed the title chore(deps): update dependency pypdf to v6.9.2 [security] chore(deps): update dependency pypdf to v6.9.2 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/pypi-pypdf-vulnerability branch March 27, 2026 01:56
@codecov
Copy link
Copy Markdown

codecov Bot commented Mar 27, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@renovate renovate Bot changed the title chore(deps): update dependency pypdf to v6.9.2 [security] - autoclosed chore(deps): update dependency pypdf to v6.9.2 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/pypi-pypdf-vulnerability branch from d4c1138 to 620afee Compare March 30, 2026 20:43
@renovate renovate Bot force-pushed the renovate/pypi-pypdf-vulnerability branch from 620afee to 77aa039 Compare April 11, 2026 01:10
@renovate renovate Bot changed the title chore(deps): update dependency pypdf to v6.9.2 [security] chore(deps): update dependency pypdf to v6.10.0 [security] Apr 11, 2026
@renovate renovate Bot changed the title chore(deps): update dependency pypdf to v6.10.0 [security] chore(deps): update dependency pypdf to v6.10.1 [security] Apr 16, 2026
@renovate renovate Bot force-pushed the renovate/pypi-pypdf-vulnerability branch from 77aa039 to 1dd37e7 Compare April 16, 2026 10:50
@renovate renovate Bot changed the title chore(deps): update dependency pypdf to v6.10.1 [security] chore(deps): update dependency pypdf to v6.10.2 [security] Apr 16, 2026
@renovate renovate Bot force-pushed the renovate/pypi-pypdf-vulnerability branch from 1dd37e7 to 1865d0d Compare May 12, 2026 10:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants