GHSA-vrqm-gvq7-rrwh: PDFME Affected by Decompression Bomb in FlateDecode Stream Parsing Causes Memory Exhaustion DoS

March 20, 2026

The DecodeStream.ensureBuffer() method in @pdfme/pdf-lib doubles its internal buffer without any upper bound on the decompressed size. A crafted PDF containing a FlateDecode stream with a high compression ratio (decompression bomb) causes unbounded memory allocation during stream decoding, leading to memory exhaustion and denial of service in both server-side (generator) and client-side (UI) contexts.

References

github.com/advisories/GHSA-vrqm-gvq7-rrwh
github.com/pdfme/pdfme
github.com/pdfme/pdfme/security/advisories/GHSA-vrqm-gvq7-rrwh

Code Behaviors & Features

Detect and mitigate GHSA-vrqm-gvq7-rrwh with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →