lopdf is vulnerable to Denial of Service (DoS)
42
Medium Risk
lopdf decompresses PDF stream, object stream, and cross-reference stream content without enforcing any limit on the decompressed output size. A crafted PDF containing highly compressed FlateDecode or LZWDecode streams (a decompression bomb) expands into a very large buffer during document loading or text extraction. Processing such a document triggers excessive memory allocation and can exhaust available memory, resulting in denial of service. The fix adds a configurable LoadOptions.max_decompressed_size limit plus bounded decode APIs such as Stream::decompressed_content_with_limit that return DecompressError::MemoryLimitExceeded instead of allocating unbounded buffers.
You are affected if you are using a version that falls within the vulnerable range and your application loads or extracts content from untrusted PDF documents.
lopdf is vulnerable to Denial of Service (DoS) in versions 0.2.0 - 0.43.0.
Upgrade the lopdf library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant