Intel

AIKIDO-2026-498497

lopdf is vulnerable to Denial of Service (DoS)

Denial of Service (DoS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Today

42

Medium Risk

This Affects:

RUSTlopdf
0.2.0 - 0.43.0
Fixed in 0.44.0
Are you affected? Scan for Free

TL;DR

lopdf decompresses PDF stream, object stream, and cross-reference stream content without enforcing any limit on the decompressed output size. A crafted PDF containing highly compressed FlateDecode or LZWDecode streams (a decompression bomb) expands into a very large buffer during document loading or text extraction. Processing such a document triggers excessive memory allocation and can exhaust available memory, resulting in denial of service. The fix adds a configurable LoadOptions.max_decompressed_size limit plus bounded decode APIs such as Stream::decompressed_content_with_limit that return DecompressError::MemoryLimitExceeded instead of allocating unbounded buffers.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application loads or extracts content from untrusted PDF documents.

Background info

lopdf is vulnerable to Denial of Service (DoS) in versions 0.2.0 - 0.43.0.

How to fix this

Upgrade the lopdf library to the patch version.