GHSA-jm82-fx9c-mx94: pypdf: Missing stream length values ignore defined limits

June 18, 2026

An attacker who uses this vulnerability can craft a PDF which leads to large memory usage, as MAX_DECLARED_STREAM_LENGTH is sometimes ignored. This requires parsing a content stream without a /Length value.

References

github.com/advisories/GHSA-jm82-fx9c-mx94
github.com/py-pdf/pypdf/pull/3871
github.com/py-pdf/pypdf/releases/tag/6.13.3
github.com/py-pdf/pypdf/security/advisories/GHSA-jm82-fx9c-mx94

Code Behaviors & Features

Detect and mitigate GHSA-jm82-fx9c-mx94 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →