Skip to content

Update dependency pypdf to v6.6.0 [SECURITY] #1828

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency pypdf to v6.6.0 [SECURITY] #1828

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jan 9, 2026
edited
Loading

This PR contains the following updates:

Package Update Change OpenSSF
pypdf (changelog) minor ==6.1.3==6.6.0 OpenSSF Scorecard

GitHub Vulnerability Alerts

CVE-2025-66019

Impact

An attacker who uses this vulnerability can craft a PDF which leads to a memory usage of up to 1 GB per stream. This requires parsing the content stream of a page using the LZWDecode filter.

This is a follow up to GHSA-jfx9-29x2-rv3j to align the default limit with the one for zlib.

Patches

This has been fixed in pypdf==6.4.0.

Workarounds

If users cannot upgrade yet, use the line below to overwrite the default in their code:

pypdf.filters.LZW_MAX_OUTPUT_LENGTH = 75_000_000

CVE-2026-22690

Impact

An attacker who exploits this vulnerability can craft a PDF which leads to possibly long runtimes for actually invalid files. This can be achieved by omitting the /Root entry in the trailer, while using a rather large /Size value. Only the non-strict reading mode is affected.

Patches

This has been fixed in pypdf==6.6.0.

Workarounds

from pypdf import PdfReader, PdfWriter

# Instead of
reader = PdfReader("file.pdf")

# use the strict mode:
reader = PdfReader("file.pdf", strict=True)

# Instead of
writer = PdfWriter(clone_from="file.pdf")

# use an explicit strict reader:
writer = PdfWriter(clone_from=PdfReader("file.pdf", strict=True))

Resources

This issue has been fixed in #​3594.

CVE-2026-22691

Impact

An attacker who exploits this vulnerability can craft a PDF which leads to possibly long runtimes for invalid startxref entries. When rebuilding the cross-reference table, PDF files with lots of whitespace characters become problematic. Only the non-strict reading mode is affected.

Patches

This has been fixed in pypdf==6.6.0.

Workarounds

from pypdf import PdfReader, PdfWriter

# Instead of
reader = PdfReader("file.pdf")

# use the strict mode:
reader = PdfReader("file.pdf", strict=True)

# Instead of
writer = PdfWriter(clone_from="file.pdf")

# use an explicit strict reader:
writer = PdfWriter(clone_from=PdfReader("file.pdf", strict=True))

Resources

This issue has been fixed in #​3594.

pypdf's LZWDecode streams be manipulated to exhaust RAM

CVE-2025-66019 / GHSA-m449-cwjh-6pw7

More information

Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to a memory usage of up to 1 GB per stream. This requires parsing the content stream of a page using the LZWDecode filter.

This is a follow up to GHSA-jfx9-29x2-rv3j to align the default limit with the one for zlib.

Patches

This has been fixed in pypdf==6.4.0.

Workarounds

If users cannot upgrade yet, use the line below to overwrite the default in their code:

pypdf.filters.LZW_MAX_OUTPUT_LENGTH = 75_000_000

Severity

  • CVSS Score: 6.6 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

pypdf has possible long runtimes for malformed startxref

CVE-2026-22691 / GHSA-4f6g-68pf-7vhv

More information

Details

Impact

An attacker who exploits this vulnerability can craft a PDF which leads to possibly long runtimes for invalid startxref entries. When rebuilding the cross-reference table, PDF files with lots of whitespace characters become problematic. Only the non-strict reading mode is affected.

Patches

This has been fixed in pypdf==6.6.0.

Workarounds
from pypdf import PdfReader, PdfWriter

##### Instead of
reader = PdfReader("file.pdf")

##### use the strict mode:
reader = PdfReader("file.pdf", strict=True)

##### Instead of
writer = PdfWriter(clone_from="file.pdf")

##### use an explicit strict reader:
writer = PdfWriter(clone_from=PdfReader("file.pdf", strict=True))
Resources

This issue has been fixed in #​3594.

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

pypdf has possible long runtimes for missing /Root object with large /Size values

CVE-2026-22690 / GHSA-4xc4-762w-m6cg

More information

Details

Impact

An attacker who exploits this vulnerability can craft a PDF which leads to possibly long runtimes for actually invalid files. This can be achieved by omitting the /Root entry in the trailer, while using a rather large /Size value. Only the non-strict reading mode is affected.

Patches

This has been fixed in pypdf==6.6.0.

Workarounds
from pypdf import PdfReader, PdfWriter

##### Instead of
reader = PdfReader("file.pdf")

##### use the strict mode:
reader = PdfReader("file.pdf", strict=True)

##### Instead of
writer = PdfWriter(clone_from="file.pdf")

##### use an explicit strict reader:
writer = PdfWriter(clone_from=PdfReader("file.pdf", strict=True))
Resources

This issue has been fixed in #​3594.

Severity

  • CVSS Score: 2.7 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

py-pdf/pypdf (pypdf)

v6.6.0

Compare Source

Security (SEC)
  • Improve handling of partially broken PDF files (#​3594)
Deprecations (DEP)
  • Block common page content modifications when assigned to reader (#​3582)
New Features (ENH)
  • Embellishments to generated text appearance streams (#​3571)
Bug Fixes (BUG)
  • Do not consider multi-byte BOM-like sequences as BOMs (#​3589)
Robustness (ROB)
  • Avoid empty FlateDecode outputs without warning (#​3579)
Documentation (DOC)
  • Add outlines documentation and link it in User Guide (#​3511)
Developer Experience (DEV)
  • Add PyPy 3.11 to test matrix and benchmarks (#​3574)
Maintenance (MAINT)
  • Fix compatibility with Pillow >= 12.1.0 (#​3590)

Full Changelog

v6.5.0

Compare Source

New Features (ENH)
  • Limit jbig2dec memory usage (#​3576)
  • FontDescriptor: Initiate from embedded font resource (#​3551)
Robustness (ROB)
  • Allow fallback to PBM files for jbig2dec without PNG support (#​3567)
  • Use warning instead of error for early EOD for RunLengthDecode (#​3548)
Developer Experience (DEV)

Full Changelog

v6.4.2

Compare Source

New Features (ENH)
  • Limit jbig2dec memory usage (#​3576)
  • FontDescriptor: Initiate from embedded font resource (#​3551)
Robustness (ROB)
  • Allow fallback to PBM files for jbig2dec without PNG support (#​3567)
  • Use warning instead of error for early EOD for RunLengthDecode (#​3548)
Developer Experience (DEV)

Full Changelog

v6.4.1

Compare Source

Bug Fixes (BUG)
  • Fix KeyError when flattening form field without /Font in resources (#​3554)
Robustness (ROB)
  • Allow deleting non-existent annotations (#​3559)
Documentation (DOC)
  • Fix level of attachment heading (#​3560)

Full Changelog

v6.4.0

Compare Source

Security (SEC)
  • Reduce default limit for LZW decoding
New Features (ENH)
  • Parse and format comb fields in text widget annotations (#​3519)
Robustness (ROB)
  • Silently ignore Adobe Ascii85 whitespace for suffix detection (#​3528)

Full Changelog

v6.3.0

Compare Source

Security (SEC)
  • Reduce default limit for LZW decoding
New Features (ENH)
  • Parse and format comb fields in text widget annotations (#​3519)
Robustness (ROB)
  • Silently ignore Adobe Ascii85 whitespace for suffix detection (#​3528)

Full Changelog

v6.2.0

Compare Source

New Features (ENH)
  • Wrap and align text in flattened PDF forms (#​3465)
Bug Fixes (BUG)
  • Fix missing "PreventGC" when cloning (#​3520)
  • Preserve JPEG image quality by default (#​3516)

Full Changelog

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot temporarily deployed to Vespa Cloud CD January 9, 2026 22:09 Inactive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant