Skip to content

Update dependency pypdf to v6.1.3 [SECURITY] #1799

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
esolitos merged 1 commit into from
Oct 28, 2025
Merged

Update dependency pypdf to v6.1.3 [SECURITY] #1799

esolitos merged 1 commit into from
Oct 28, 2025

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Oct 22, 2025
edited
Loading

This PR contains the following updates:

Package Update Change OpenSSF
pypdf (changelog) minor ==6.0.0 -> ==6.1.3 OpenSSF Scorecard

GitHub Vulnerability Alerts

CVE-2025-62708

Impact

An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream of a page using the LZWDecode filter.

Patches

This has been fixed in pypdf==6.1.3.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3502.

CVE-2025-62707

Impact

An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires parsing the content stream of a page which has an inline image using the DCTDecode filter.

Patches

This has been fixed in pypdf==6.1.3.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3501.

pypdf can exhaust RAM via manipulated LZWDecode streams

CVE-2025-62708 / GHSA-jfx9-29x2-rv3j

More information

Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream of a page using the LZWDecode filter.

Patches

This has been fixed in pypdf==6.1.3.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3502.

Severity

  • CVSS Score: 6.6 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

pypdf possibly loops infinitely when reading DCT inline images without EOF marker

CVE-2025-62707 / GHSA-vr63-x8vc-m265

More information

Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires parsing the content stream of a page which has an inline image using the DCTDecode filter.

Patches

This has been fixed in pypdf==6.1.3.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3501.

Severity

  • CVSS Score: 6.6 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

py-pdf/pypdf (pypdf)

v6.1.3

Compare Source

Security (SEC)
  • Allow limiting size of LZWDecode streams (#​3502)
  • Avoid infinite loop when reading broken DCT-based inline images (#​3501)
Bug Fixes (BUG)
  • PageObject.scale() scales media box incorrectly (#​3489)
Robustness (ROB)
  • Fail with explicit exception when image mode is an empty array (#​3500)

Full Changelog

v6.1.2

Compare Source

Security (SEC)
  • Allow limiting size of LZWDecode streams (#​3502)
  • Avoid infinite loop when reading broken DCT-based inline images (#​3501)
Bug Fixes (BUG)
  • PageObject.scale() scales media box incorrectly (#​3489)
Robustness (ROB)
  • Fail with explicit exception when image mode is an empty array (#​3500)

Full Changelog

v6.1.1

Compare Source

Bug Fixes (BUG)
  • Fix handling of zero-length StreamObject (#​3485)
Robustness (ROB)
  • Deal with wrong size for incremental PDF files (#​3495)
  • Improve handling for malformed cross-reference tables (#​3483)
Developer Experience (DEV)
  • Use released Python 3.14
  • Use Mapping instead of dict in type hint of update_page_form_field_values (#​3490)

Full Changelog

v6.1.0

Compare Source

Bug Fixes (BUG)
  • Insert new embedded files in a sorted manner (#​3477)
  • Fix name tree handling for embedded files with Kids-based inputs (#​3475)
  • Make embedding files not break PDF/A-3 compliance (#​3472)
Documentation (DOC)
  • Document AFRelationship handling for PDF/A and provide constants (#​3478)

Full Changelog

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot temporarily deployed to Vespa Cloud CD October 22, 2025 21:53 Inactive
@esolitos esolitos merged commit bf2f198 into master Oct 28, 2025
8 checks passed
@esolitos esolitos deleted the renovate/pypi-pypdf-vulnerability branch October 28, 2025 10:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@esolitos esolitos esolitos approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@esolitos