GHSA-JJ6C-8H6C-HPPX: GHSA-JJ6C-8H6C-HPPX: Uncontrolled Resource Consumption in pypdf via Malformed PDF Streams

GHSA-JJ6C-8H6C-HPPX: Uncontrolled Resource Consumption in pypdf via Malformed PDF Streams

Vulnerability ID: GHSA-JJ6C-8H6C-HPPX
CVSS Score: 5.5
Published: 2026-04-15

The pypdf library prior to version 6.10.1 contains a moderate-severity v…


This content originally appeared on DEV Community and was authored by CVE Reports

GHSA-JJ6C-8H6C-HPPX: Uncontrolled Resource Consumption in pypdf via Malformed PDF Streams

Vulnerability ID: GHSA-JJ6C-8H6C-HPPX
CVSS Score: 5.5
Published: 2026-04-15

The pypdf library prior to version 6.10.1 contains a moderate-severity vulnerability related to the handling of cross-reference (xref) and object streams. The library fails to adequately validate the sizes of these streams against supplied metadata, leading to excessive iteration and uncontrolled resource consumption when parsing maliciously crafted PDF documents.

TL;DR

pypdf versions prior to 6.10.1 are vulnerable to Denial of Service (DoS) due to inadequate validation of xref and object stream sizes, allowing crafted PDFs to trigger unbounded resource consumption.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Uncontrolled Resource Consumption
  • CWE IDs: CWE-400, CWE-834
  • Attack Vector: Local / Remote via File Upload
  • Impact: Denial of Service (DoS)
  • Authentication Required: None
  • Affected Component: pypdf xref and object stream parser

Affected Systems

  • Python web applications accepting PDF uploads
  • Automated document processing pipelines
  • Data extraction and indexing services
  • Serverless functions analyzing document content
  • pypdf: < 6.10.1 (Fixed in: 6.10.1)

Mitigation Strategies

  • Upgrade pypdf to version 6.10.1 or later.
  • Enforce execution timeouts for all PDF parsing operations.
  • Isolate PDF processing into bounded subprocesses or dedicated worker containers.
  • Apply operating system or orchestrator-level memory limits to parsing processes.

Remediation Steps:

  1. Identify all projects utilizing the pypdf library by reviewing dependency manifests (requirements.txt, Pipfile, pyproject.toml).
  2. Update the dependency version specification to require >=6.10.1.
  3. Execute integration tests to ensure the updated library maintains compatibility with expected document formats.
  4. Deploy the updated application build to production environments.
  5. Monitor application resource utilization to verify the mitigation of unbounded parsing tasks.

References

Read the full report for GHSA-JJ6C-8H6C-HPPX on our website for more details including interactive diagrams and full exploit analysis.


This content originally appeared on DEV Community and was authored by CVE Reports


Print Share Comment Cite Upload Translate Updates
APA

CVE Reports | Sciencx (2026-04-15T22:40:20+00:00) GHSA-JJ6C-8H6C-HPPX: GHSA-JJ6C-8H6C-HPPX: Uncontrolled Resource Consumption in pypdf via Malformed PDF Streams. Retrieved from https://www.scien.cx/2026/04/15/ghsa-jj6c-8h6c-hppx-ghsa-jj6c-8h6c-hppx-uncontrolled-resource-consumption-in-pypdf-via-malformed-pdf-streams/

MLA
" » GHSA-JJ6C-8H6C-HPPX: GHSA-JJ6C-8H6C-HPPX: Uncontrolled Resource Consumption in pypdf via Malformed PDF Streams." CVE Reports | Sciencx - Wednesday April 15, 2026, https://www.scien.cx/2026/04/15/ghsa-jj6c-8h6c-hppx-ghsa-jj6c-8h6c-hppx-uncontrolled-resource-consumption-in-pypdf-via-malformed-pdf-streams/
HARVARD
CVE Reports | Sciencx Wednesday April 15, 2026 » GHSA-JJ6C-8H6C-HPPX: GHSA-JJ6C-8H6C-HPPX: Uncontrolled Resource Consumption in pypdf via Malformed PDF Streams., viewed ,<https://www.scien.cx/2026/04/15/ghsa-jj6c-8h6c-hppx-ghsa-jj6c-8h6c-hppx-uncontrolled-resource-consumption-in-pypdf-via-malformed-pdf-streams/>
VANCOUVER
CVE Reports | Sciencx - » GHSA-JJ6C-8H6C-HPPX: GHSA-JJ6C-8H6C-HPPX: Uncontrolled Resource Consumption in pypdf via Malformed PDF Streams. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2026/04/15/ghsa-jj6c-8h6c-hppx-ghsa-jj6c-8h6c-hppx-uncontrolled-resource-consumption-in-pypdf-via-malformed-pdf-streams/
CHICAGO
" » GHSA-JJ6C-8H6C-HPPX: GHSA-JJ6C-8H6C-HPPX: Uncontrolled Resource Consumption in pypdf via Malformed PDF Streams." CVE Reports | Sciencx - Accessed . https://www.scien.cx/2026/04/15/ghsa-jj6c-8h6c-hppx-ghsa-jj6c-8h6c-hppx-uncontrolled-resource-consumption-in-pypdf-via-malformed-pdf-streams/
IEEE
" » GHSA-JJ6C-8H6C-HPPX: GHSA-JJ6C-8H6C-HPPX: Uncontrolled Resource Consumption in pypdf via Malformed PDF Streams." CVE Reports | Sciencx [Online]. Available: https://www.scien.cx/2026/04/15/ghsa-jj6c-8h6c-hppx-ghsa-jj6c-8h6c-hppx-uncontrolled-resource-consumption-in-pypdf-via-malformed-pdf-streams/. [Accessed: ]
rf:citation
» GHSA-JJ6C-8H6C-HPPX: GHSA-JJ6C-8H6C-HPPX: Uncontrolled Resource Consumption in pypdf via Malformed PDF Streams | CVE Reports | Sciencx | https://www.scien.cx/2026/04/15/ghsa-jj6c-8h6c-hppx-ghsa-jj6c-8h6c-hppx-uncontrolled-resource-consumption-in-pypdf-via-malformed-pdf-streams/ |

Please log in to upload a file.




There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.