Intel

AIKIDO-2026-817514

pypdf is vulnerable to Denial of Service (DoS)

Denial of Service (DoS)GHSA-g867-7843-wf8q Published Jun 25, 2026

62

Medium Risk

This Affects:

PYTHONpypdf
0.0.1 - 6.14.1
Fixed in 6.14.2
Are you affected? Scan for Free

TL;DR

pypdf extracts inline images from page content streams using dedicated decoders for the ASCII85 and ASCIIHex filters. These decoders read the stream in a loop and rewind two bytes whenever a terminator is not yet found, but they fail to detect when the underlying stream is already exhausted. A crafted PDF whose inline image is never properly terminated makes the decoder rewind and re-read the same bytes endlessly, hanging operations such as page text extraction. The fix detects an empty read from the stream and raises a read error instead of looping forever.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application parses untrusted PDFs containing inline images.

Background info

pypdf is vulnerable to Denial of Service (DoS) in versions 0.0.1 - 6.14.1.

How to fix this

Upgrade the pypdf library to the patch version.