You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
pypdf: Missing stream length values ignore defined limits
Moderate severity
GitHub Reviewed
Published
Jun 17, 2026
in
py-pdf/pypdf
•
Updated Jun 18, 2026
An attacker who uses this vulnerability can craft a PDF which leads to large memory usage, as MAX_DECLARED_STREAM_LENGTH is sometimes ignored. This requires parsing a content stream without a /Length value.
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Learn more on MITRE.
Impact
An attacker who uses this vulnerability can craft a PDF which leads to large memory usage, as
MAX_DECLARED_STREAM_LENGTHis sometimes ignored. This requires parsing a content stream without a/Lengthvalue.Patches
This has been fixed in pypdf==6.13.3.
Workarounds
If you cannot upgrade yet, consider applying the changes from PR #3871.
References