GHSA-JJ6C-8H6C-HPPX: GHSA-JJ6C-8H6C-HPPX: Uncontrolled Resource Consumption in pypdf via Malformed PDF Streams

GHSA-JJ6C-8H6C-HPPX: Uncontrolled Resource Consumption in pypdf via Malformed PDF Streams

Vulnerability ID: GHSA-JJ6C-8H6C-HPPX
CVSS Score: 5.5
Published: 2026-04-15

The pypdf library prior to version 6.10.1 contains a moderate-severity vulnerability related to the handling of cross-reference (xref) and object streams. The library fails to adequately validate the sizes of these streams against supplied metadata, leading to excessive iteration and uncontrolled resource consumption when parsing maliciously crafted PDF documents.

TL;DR

pypdf versions prior to 6.10.1 are vulnerable to Denial of Service (DoS) due to inadequate validation of xref and object stream sizes, allowing crafted PDFs to trigger unbounded resource consumption.

---

⚠️ Exploit Status: POC

Technical Details

• Vulnerability Type: Uncontrolled Resource Consumption
• CWE IDs: CWE-400, CWE-834
• Attack Vector: Local / Remote via File Upload
• Impact: Denial of Service (DoS)
• Authentication Required: None
• Affected Component: pypdf xref and object stream parser

Affected Systems

• Python web applications accepting PDF uploads
• Automated document processing pipelines
• Data extraction and indexing services
• Serverless functions analyzing document content
• pypdf: < 6.10.1 (Fixed in: 6.10.1)

Mitigation Strategies

• Upgrade pypdf to version 6.10.1 or later.
• Enforce execution timeouts for all PDF parsing operations.
• Isolate PDF processing into bounded subprocesses or dedicated worker containers.
• Apply operating system or orchestrator-level memory limits to parsing processes.

Remediation Steps:

1. Identify all projects utilizing the pypdf library by reviewing dependency manifests (requirements.txt, Pipfile, pyproject.toml).
2. Update the dependency version specification to require >=6.10.1.
3. Execute integration tests to ensure the updated library maintains compatibility with expected document formats.
4. Deploy the updated application build to production environments.
5. Monitor application resource utilization to verify the mitigation of unbounded parsing tasks.

References

• GitHub Advisory GHSA-JJ6C-8H6C-HPPX
• Fix Pull Request: SEC: Limit the allowed size of xref and object streams
• pypdf v6.10.1 Release Notes
• Maintainer Profile: stefan6419846

---

Read the full report for GHSA-JJ6C-8H6C-HPPX on our website for more details including interactive diagrams and full exploit analysis.