Death by Decompression: Inside the pypdf XFA RAM Exhaustion Exploit
Vulnerability ID: CVE-2026-27888
CVSS Score: 6.6
Published: 2026-02-26
A critical resource exhaustion vulnerability in the popular pypdf library allows attackers to crash applications by supplying a malicious PDF. The flaw lies in the handling of XML Forms Architecture (XFA) streams, where a 'zip bomb' technique can trigger unbounded memory allocation.
TL;DR
pypdf versions prior to 6.7.3 are vulnerable to a Denial of Service attack via the xfa property. An attacker can craft a tiny PDF with a highly compressed stream that expands to gigabytes in memory, crashing the Python process.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-400 (Uncontrolled Resource Consumption)
- CVSS v4.0: 6.6 (Medium)
- Attack Vector: Network / Local
- Exploit Status: PoC Available
- Impact: Denial of Service (DoS)
- Affected Component: pypdf.PdfReader.xfa
Affected Systems
- pypdf < 6.7.3
- Python applications processing untrusted PDFs
- RAG pipelines using pypdf for extraction
-
pypdf: < 6.7.3 (Fixed in:
6.7.3)
Code Analysis
Commit: 7a4c824
Fix infinite loop and memory exhaustion in XFA handling
- es = zlib.decompress(field._data)
+ es = _decompress_with_limit(field._data)
Exploit Details
- pypdf Repository: Unit test demonstrating the exhaustion logic
Mitigation Strategies
- Input Validation: Never trust external files.
- Resource Limits: Enforce memory limits on worker processes.
- Library Updates: Keep dependencies patched.
Remediation Steps:
- Update
pypdfto version 6.7.3 or higher usingpip install --upgrade pypdf. - If you cannot update, avoid accessing the
reader.xfaorwriter.xfaproperties on untrusted documents. - Configure your container orchestration (Kubernetes/Docker) to set hard memory limits on pods processing PDFs to ensure they are killed before destabilizing the node.
References
Read the full report for CVE-2026-27888 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)