CVE-2025-62708
published 2025-10-22CVE-2025-62708: pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to large…
PriorityP340high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.40%
32.0th percentile
pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream of a page using the LZWDecode filter. This has been fixed in pypdf version 6.1.3.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | pypdf | < pypdf 6.9.0-1 (forky) | pypdf 6.9.0-1 (forky) |
| py-pdf | pypdf | < 6.1.3 | 6.1.3 |
| pypdf_project | pypdf | < 6.1.3 | 6.1.3 |
| pypdf_project | pypdf | >= 0 < 6.9.0-1 | 6.9.0-1 |
| pypdf_project | pypdf | >= 0 < 6.1.3 | 6.1.3 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv4.06.6MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv6.6MEDIUM
vendor_debian6.6LOW
vendor_redhat6.6MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
pypdf can exhaust RAM via manipulated LZWDecode streams
ghsa·2025-10-22
CVE-2025-62708 [MEDIUM] CWE-409 pypdf can exhaust RAM via manipulated LZWDecode streams
pypdf can exhaust RAM via manipulated LZWDecode streams
### Impact
An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream of a page using the LZWDecode filter.
### Patches
This has been fixed in [pypdf==6.1.3](https://github.com/py-pdf/pypdf/releases/tag/6.1.3).
### Workarounds
If you cannot upgrade yet, consider applying the changes from PR [#3502](https://github.com/py-pdf/pypdf/pull/3502).
OSV
CVE-2025-62708: pypdf is a free and open-source pure-python PDF library
osv·2025-10-22·CVSS 6.6
CVE-2025-62708 [MEDIUM] CVE-2025-62708: pypdf is a free and open-source pure-python PDF library
pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream of a page using the LZWDecode filter. This has been fixed in pypdf version 6.1.3.
OSV
pypdf can exhaust RAM via manipulated LZWDecode streams
osv·2025-10-22
CVE-2025-62708 [MEDIUM] pypdf can exhaust RAM via manipulated LZWDecode streams
pypdf can exhaust RAM via manipulated LZWDecode streams
### Impact
An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream of a page using the LZWDecode filter.
### Patches
This has been fixed in [pypdf==6.1.3](https://github.com/py-pdf/pypdf/releases/tag/6.1.3).
### Workarounds
If you cannot upgrade yet, consider applying the changes from PR [#3502](https://github.com/py-pdf/pypdf/pull/3502).
Red Hat
pypdf: pypdf manipulated LZWDecode streams can exhaust RAM
vendor_redhat·2025-10-22·CVSS 6.6
CVE-2025-62708 [MEDIUM] CWE-409 pypdf: pypdf manipulated LZWDecode streams can exhaust RAM
pypdf: pypdf manipulated LZWDecode streams can exhaust RAM
pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream of a page using the LZWDecode filter. This has been fixed in pypdf version 6.1.3.
A memory exhaustion flaw has been discovered in the pypdf pypi library. an attacker who uses this vulnerability can craft a PDF which leads to excessive memory usage. This requires parsing the content stream of a page using the LZWDecode filter.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicabili
Debian
CVE-2025-62708: pypdf - pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3,...
vendor_debian·2025·CVSS 6.6
CVE-2025-62708 [MEDIUM] CVE-2025-62708: pypdf - pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3,...
pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream of a page using the LZWDecode filter. This has been fixed in pypdf version 6.1.3.
Scope: local
bookworm: resolved
forky: resolved (fixed in 6.9.0-1)
sid: resolved (fixed in 6.9.0-1)
trixie: open
No detection rules found.
No public exploits indexed.
2025-10-22
Published