CVE-2025-62708 - Vulnerability Details

pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream of a page using the LZWDecode filter. This has been fixed in pypdf version 6.1.3.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

Advisories

Source	ID	Title
Github GHSA	GHSA-jfx9-29x2-rv3j	pypdf can exhaust RAM via manipulated LZWDecode streams

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/py-pdf/pypdf/commit/e51d07807ffcdaf18077b9486dadb3dc05b368da
https://github.com/py-pdf/pypdf/pull/3502
https://github.com/py-pdf/pypdf/releases/tag/6.1.3
https://github.com/py-pdf/pypdf/security/advisories/GHSA-jfx9-29x2-rv3j

History

Wed, 22 Oct 2025 21:45:00 +0000

Type	Values Removed	Values Added
Description		pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream of a page using the LZWDecode filter. This has been fixed in pypdf version 6.1.3.
Title		pypdf manipulated LZWDecode streams can exhaust RAM
Weaknesses		CWE-409
References		https://github.com/py-pdf/pypdf/commit/e51d07807ffcdaf18077b9486dadb3dc05b368da https://github.com/py-pdf/pypdf/pull/3502 https://github.com/py-pdf/pypdf/releases/tag/6.1.3 https://github.com/py-pdf/pypdf/security/advisories/GHSA-jfx9-29x2-rv3j
Metrics		cvssV4_0 `{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-10-22T21:36:56.788Z

Updated: 2025-10-22T21:36:56.788Z

Reserved: 2025-10-20T19:41:22.739Z

Link: CVE-2025-62708

Vulnrichment

No data.

NVD

Status : Received

Published: 2025-10-22T22:15:35.880

Modified: 2025-10-22T22:15:35.880

Link: CVE-2025-62708

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object