Description
pypdf is a free and open-source pure-python PDF library. Prior to version 6.4.0, an attacker who uses this vulnerability can craft a PDF which leads to a memory usage of up to 1 GB per stream. This requires parsing the content stream of a page using the LZWDecode filter. This issue has been patched in version 6.4.0.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/py-pdf/pypdf/security/advisories/GHSA-m449-cwjh-6pw7
Patch x_refsource_misc
https://github.com/py-pdf/pypdf/commit/96186725e5e6f237129a58a97cd19204a9ce40b2
Release Notes x_refsource_misc
https://github.com/py-pdf/pypdf/releases/tag/6.4.0
Scores
CVSS v4
6.6
EPSS
0.0006
EPSS Percentile
18.2%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-400
CWE-409
Status
published
Products (2)
py-pdf/pypdf
< 6.4.0
pypi/pypdf
0 - 6.4.0PyPI
Published
Nov 26, 2025
Tracked Since
Feb 18, 2026