CVE-2025-62707
published 2025-10-22CVE-2025-62707: pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to an…
PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.40%
32.0th percentile
pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires parsing the content stream of a page which has an inline image using the DCTDecode filter. This has been fixed in pypdf version 6.1.3.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | pypdf | < pypdf 6.9.0-1 (forky) | pypdf 6.9.0-1 (forky) |
| py-pdf | pypdf | < 6.1.3 | 6.1.3 |
| pypdf_project | pypdf | < 6.1.3 | 6.1.3 |
| pypdf_project | pypdf | >= 0 < 6.9.0-1 | 6.9.0-1 |
| pypdf_project | pypdf | >= 0 < 6.1.3 | 6.1.3 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv4.06.6MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv6.6MEDIUM
vendor_debian6.6LOW
vendor_redhat6.6MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2025-62707: pypdf is a free and open-source pure-python PDF library
osv·2025-10-22·CVSS 6.6
CVE-2025-62707 [MEDIUM] CVE-2025-62707: pypdf is a free and open-source pure-python PDF library
pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires parsing the content stream of a page which has an inline image using the DCTDecode filter. This has been fixed in pypdf version 6.1.3.
GHSA
pypdf possibly loops infinitely when reading DCT inline images without EOF marker
ghsa·2025-10-22
CVE-2025-62707 [MEDIUM] CWE-834 pypdf possibly loops infinitely when reading DCT inline images without EOF marker
pypdf possibly loops infinitely when reading DCT inline images without EOF marker
### Impact
An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires parsing the content stream of a page which has an inline image using the DCTDecode filter.
### Patches
This has been fixed in [pypdf==6.1.3](https://github.com/py-pdf/pypdf/releases/tag/6.1.3).
### Workarounds
If you cannot upgrade yet, consider applying the changes from PR [#3501](https://github.com/py-pdf/pypdf/pull/3501).
OSV
pypdf possibly loops infinitely when reading DCT inline images without EOF marker
osv·2025-10-22
CVE-2025-62707 [MEDIUM] pypdf possibly loops infinitely when reading DCT inline images without EOF marker
pypdf possibly loops infinitely when reading DCT inline images without EOF marker
### Impact
An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires parsing the content stream of a page which has an inline image using the DCTDecode filter.
### Patches
This has been fixed in [pypdf==6.1.3](https://github.com/py-pdf/pypdf/releases/tag/6.1.3).
### Workarounds
If you cannot upgrade yet, consider applying the changes from PR [#3501](https://github.com/py-pdf/pypdf/pull/3501).
Red Hat
pypdf: pypdf affected by possible infinite loop when reading DCT inline images without EOF marker
vendor_redhat·2025-10-22·CVSS 6.6
CVE-2025-62707 [MEDIUM] CWE-834 pypdf: pypdf affected by possible infinite loop when reading DCT inline images without EOF marker
pypdf: pypdf affected by possible infinite loop when reading DCT inline images without EOF marker
pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires parsing the content stream of a page which has an inline image using the DCTDecode filter. This has been fixed in pypdf version 6.1.3.
A denial of service vulnerability exists in the Pypdf,such that an attacker using carefully crafted pdf file can make the parsing of the DCTDecode filter to enter a infinite loop leading to damage of system availability.
Mitigation: Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ea
Debian
CVE-2025-62707: pypdf - pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3,...
vendor_debian·2025·CVSS 6.6
CVE-2025-62707 [MEDIUM] CVE-2025-62707: pypdf - pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3,...
pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires parsing the content stream of a page which has an inline image using the DCTDecode filter. This has been fixed in pypdf version 6.1.3.
Scope: local
bookworm: resolved
forky: resolved (fixed in 6.9.0-1)
sid: resolved (fixed in 6.9.0-1)
trixie: open
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-10-22
Published