Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.8
pypdf RAM exhaustion through malicious PDF images
GHSA-x284-j5p8-9c5p
Summary
A malicious PDF file can cause your system to run out of memory. This is a risk if you use the pypdf library to process PDFs. To stay safe, update to the latest version of pypdf or apply the suggested patch from the developers.
What to do
- Update pypdf to version 6.10.2.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| pip | – | pypdf |
< 6.10.2 Fix: upgrade to 6.10.2
|
Original title
pypdf: Manipulated FlateDecode image dimensions can exhaust RAM
Original description
### Impact
An attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing an image using `/FlateDecode` with large size values.
### Patches
This has been fixed in [pypdf==6.10.2](https://github.com/py-pdf/pypdf/releases/tag/6.10.2).
### Workarounds
If you cannot upgrade yet, consider applying the changes from PR [#3734](https://github.com/py-pdf/pypdf/pull/3734).
An attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing an image using `/FlateDecode` with large size values.
### Patches
This has been fixed in [pypdf==6.10.2](https://github.com/py-pdf/pypdf/releases/tag/6.10.2).
### Workarounds
If you cannot upgrade yet, consider applying the changes from PR [#3734](https://github.com/py-pdf/pypdf/pull/3734).
ghsa CVSS4.0
6.8
Vulnerability type
CWE-789
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026