Memory Resource Exhaustion in PyPDF Library by PyPDF Team
CVE-2025-66019

6.6MEDIUM

Key Information:

Vendor

Py-PDF

Status
PyPDF
Vendor
CVE Published:
25 November 2025

What is CVE-2025-66019?

The pypdf library, a popular open-source PDF processing tool, is susceptible to a memory exhaustion vulnerability. Attackers can exploit this flaw by crafting a malicious PDF document that, when processed, may consume excessive memory—up to 1 GB—for each content stream that utilizes the LZWDecode filter. This vulnerability potentially disrupts system performance and stability. Users are urged to upgrade to version 6.4.0, where this issue has been addressed, to safeguard against such exploits.

Affected Version(s)

pypdf < 6.4.0

References

https://github.com/py-pdf/pypdf/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/py-pdf/pypdf/commit/96186725e5e6f23712...
x_refsource_MISC
https://github.com/py-pdf/pypdf/releases/tag/6.4.0
x_refsource_MISC

CVSS V4

Score:
6.6
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.