SB2026052521 - Denial of service in PyPDF

Description

This security bulletin contains information about 1 vulnerability.

1) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-48735)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause excessive memory consumption.

The vulnerability exists due to allocation of resources without limits or throttling in the XMP metadata parser when parsing large XMP metadata streams in a PDF file. A remote attacker can supply a specially crafted PDF file to cause excessive memory consumption.

Remediation

Install update from vendor's website.

References

• https://github.com/py-pdf/pypdf/security/advisories/GHSA-wjqc-6w8f-h24c
• https://github.com/py-pdf/pypdf/pull/3796