CVE-2025-55197

pypdf is a free and open-source pure-python PDF library. Prior to version 6.0.0, an attacker can craft a PDF which leads to the RAM being exhausted. This requires just reading the file if a series of FlateDecode filters is used on a malicious cross-reference stream. Other content streams are affected on explicit access. This issue has been fixed in 6.0.0. If an update is not possible, a workaround involves including the fixed code from pypdf.filters.decompress into the existing filters file.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-400",
        "CWE-770"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/55xxx/CVE-2025-55197.json"
}

References

Affected packages

Git / github.com/py-pdf/pypdf

Affected ranges

Type: GIT
Repo: https://github.com/py-pdf/pypdf
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

0dd57738bbdcdb63f0fb43d8a6b3d222b6946595

Affected versions

1.*

1.26.0

1.27.0

1.27.1

1.27.10

1.27.11

1.27.12

1.27.2

1.27.3

1.27.4

1.27.5

1.27.6

1.27.7

1.27.8

1.27.9

1.28.0

1.28.1

1.28.2

2.*

2.0.0

2.1.0

2.1.1

2.10.0

2.10.1

2.10.2

2.10.3

2.10.4

2.10.5

2.10.6

2.10.7

2.10.8

2.10.9

2.11.0

2.11.1

2.11.2

2.12.0

2.12.1

2.2.0

2.2.1

2.3.0

2.3.1

2.4.0

2.4.1

2.4.2

2.5.0

2.6.0

2.7.0

2.8.0

2.8.1

2.9.0

3.*

3.0.0

3.1.0

3.10.0

3.11.0

3.11.1

3.12.0

3.12.1

3.12.2

3.13.0

3.14.0

3.15.0

3.15.1

3.15.2

3.15.3

3.15.4

3.15.5

3.16.0

3.16.1

3.16.2

3.16.3

3.16.4

3.17.0

3.17.1

3.17.2

3.17.3

3.17.4

3.2.0

3.2.1

3.3.0

3.4.0

3.4.1

3.5.0

3.5.1

3.5.2

3.6.0

3.7.0

3.7.1

3.8.0

3.8.1

3.9.0

3.9.1

4.*

4.0.0

4.0.1

4.0.2

4.1.0

4.2.0

4.3.0

4.3.1

5.*

5.0.0

5.0.1

5.1.0

5.2.0

5.3.0

5.3.1

5.4.0

5.5.0

5.6.0

5.6.1

5.7.0

5.8.0

5.9.0

v1.*

v1.17

v1.18

v1.19

v1.20

v1.21

v1.22

v1.23

v1.24

v1.25

v1.25.1