Skip to content

chore(deps): update dependency pypdf to v6.7.5 [security]#1853

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/pypi-pypdf-vulnerability
Open

chore(deps): update dependency pypdf to v6.7.5 [security]#1853
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/pypi-pypdf-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Feb 19, 2026
edited
Loading

This PR contains the following updates:

Package Update Change OpenSSF
pypdf (changelog) minor ==6.6.2==6.7.5 OpenSSF Scorecard

GitHub Vulnerability Alerts

CVE-2026-27024

Impact

An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires accessing the children of a TreeObject, for example as part of outlines.

Patches

This has been fixed in pypdf==6.7.1.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3645.

CVE-2026-27025

Impact

An attacker who uses this vulnerability can craft a PDF which leads to long runtimes and large memory consumption. This requires parsing the /ToUnicode entry of a font with unusually large values, for example during text extraction.

Patches

This has been fixed in pypdf==6.7.1.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3646.

CVE-2026-27026

Impact

An attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires a malformed /FlateDecode stream, where the byte-by-byte decompression is used.

Patches

This has been fixed in pypdf==6.7.1.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3644.

pypdf possibly has long runtimes for malformed FlateDecode streams

CVE-2026-27026 / GHSA-9mvc-8737-8j8h

More information

Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires a malformed /FlateDecode stream, where the byte-by-byte decompression is used.

Patches

This has been fixed in pypdf==6.7.1.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3644.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

pypdf has possible long runtimes/large memory usage for large /ToUnicode streams

CVE-2026-27025 / GHSA-wgvp-vg3v-2xq3

More information

Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to long runtimes and large memory consumption. This requires parsing the /ToUnicode entry of a font with unusually large values, for example during text extraction.

Patches

This has been fixed in pypdf==6.7.1.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3646.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

pypdf has a possible infinite loop when processing TreeObject

CVE-2026-27024 / GHSA-996q-pr4m-cvgq

More information

Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires accessing the children of a TreeObject, for example as part of outlines.

Patches

This has been fixed in pypdf==6.7.1.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3645.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

pypdf has a possible infinite loop when loading circular /Prev entries in cross-reference streams

CVE-2026-27628 / GHSA-2rw7-x74f-jg35

More information

Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires reading the file.

Patches

This has been fixed in pypdf==6.7.2.

Workarounds

If users cannot upgrade yet, consider applying the changes from PR #​3655.

Severity

  • CVSS Score: 1.2 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

pypdf: Manipulated FlateDecode XFA streams can exhaust RAM

CVE-2026-27888 / GHSA-x7hp-r3qg-r3cj

More information

Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing the xfa property of a reader or writer and the corresponding stream being compressed using /FlateDecode.

Patches

This has been fixed in pypdf==6.7.3.

Workarounds

If projects cannot upgrade yet, consider applying the changes from PR #​3658.

Severity

  • CVSS Score: 6.6 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

pypdf: Manipulated RunLengthDecode streams can exhaust RAM

CVE-2026-28351 / GHSA-f2v5-7jq9-h8cg

More information

Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream using the RunLengthDecode filter.

Patches

This has been fixed in pypdf==6.7.4.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3664.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

pypdf vulnerable to inefficient decoding of ASCIIHexDecode streams

CVE-2026-28804 / GHSA-9m86-7pmv-2852

More information

Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream which uses the /ASCIIHexDecode filter.

Patches

This has been fixed in pypdf==6.7.5.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3666.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

py-pdf/pypdf (pypdf)

v6.7.5

Compare Source

Security (SEC)
  • Improve the performance of the ASCIIHexDecode filter (#​3666)

Full Changelog

v6.7.4

Compare Source

Security (SEC)
  • Improve the performance of the ASCIIHexDecode filter (#​3666)

Full Changelog

v6.7.3

Compare Source

Security (SEC)
  • Allow limiting output length for RunLengthDecode filter (#​3664)
Robustness (ROB)
  • Deal with invalid annotations in extract_links (#​3659)

Full Changelog

v6.7.2

Compare Source

Security (SEC)
  • Use zlib decompression limit when retrieving XFA data (#​3658)

Full Changelog

v6.7.1

Compare Source

Security (SEC)
  • Prevent infinite loop from circular xref /Prev references (#​3655)
Bug Fixes (BUG)
  • Fix wrong LUT size error (#​3651)
  • Fix handling of page boxes defined on /Pages (#​3650)

Full Changelog

v6.7.0

Compare Source

Deprecations (DEP)
  • Deprecate support for abbreviations in decode_stream_data (#​3617)
New Features (ENH)
  • Add ability to add font resources for 14 Adobe Core fonts in text widget annotations (#​3624)
Bug Fixes (BUG)
  • Avoid invalid load for ICCBased FlateDecode images in mode 1 (#​3619)
Robustness (ROB)
  • Fix AESV2 decryption when /Length missing in encrypt dict (#​3629)
  • Fix merging when annotations point to NullObject (#​3613)
  • Check for self._info being None in compress_identical_objects (#​3612)

Full Changelog

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot temporarily deployed to Vespa Cloud CD February 19, 2026 20:18 Inactive
@renovate renovate bot changed the title chore(deps): update dependency pypdf to v6.7.1 [security] chore(deps): update dependency pypdf to v6.7.2 [security] Feb 25, 2026
@renovate renovate bot force-pushed the renovate/pypi-pypdf-vulnerability branch from 6e2157c to a7df944 Compare February 25, 2026 18:18
@renovate renovate bot temporarily deployed to Vespa Cloud CD February 25, 2026 18:19 Inactive
@renovate renovate bot changed the title chore(deps): update dependency pypdf to v6.7.2 [security] chore(deps): update dependency pypdf to v6.7.1 [security] Feb 25, 2026
@renovate renovate bot force-pushed the renovate/pypi-pypdf-vulnerability branch from a7df944 to 4763b62 Compare February 25, 2026 20:18
@renovate renovate bot temporarily deployed to Vespa Cloud CD February 25, 2026 20:18 Inactive
@renovate renovate bot changed the title chore(deps): update dependency pypdf to v6.7.1 [security] chore(deps): update dependency pypdf to v6.7.2 [security] Feb 25, 2026
@renovate renovate bot force-pushed the renovate/pypi-pypdf-vulnerability branch from 4763b62 to 2067cc7 Compare February 25, 2026 22:18
@renovate renovate bot temporarily deployed to Vespa Cloud CD February 25, 2026 22:19 Inactive
@renovate renovate bot changed the title chore(deps): update dependency pypdf to v6.7.2 [security] chore(deps): update dependency pypdf to v6.7.3 [security] Feb 27, 2026
@renovate renovate bot force-pushed the renovate/pypi-pypdf-vulnerability branch from 2067cc7 to 5394ee1 Compare February 27, 2026 06:17
@renovate renovate bot temporarily deployed to Vespa Cloud CD February 27, 2026 06:18 Inactive
@kkraune kkraune requested a review from thomasht86 February 27, 2026 07:00
@renovate renovate bot changed the title chore(deps): update dependency pypdf to v6.7.3 [security] chore(deps): update dependency pypdf to v6.7.4 [security] Feb 28, 2026
@renovate renovate bot force-pushed the renovate/pypi-pypdf-vulnerability branch from 5394ee1 to 7f88916 Compare February 28, 2026 17:18
@renovate renovate bot temporarily deployed to Vespa Cloud CD February 28, 2026 17:19 Inactive
@renovate renovate bot force-pushed the renovate/pypi-pypdf-vulnerability branch from 7f88916 to f85cacd Compare February 28, 2026 20:17
@renovate renovate bot changed the title chore(deps): update dependency pypdf to v6.7.4 [security] chore(deps): update dependency pypdf to v6.7.1 [security] Feb 28, 2026
@renovate renovate bot temporarily deployed to Vespa Cloud CD February 28, 2026 20:17 Inactive
@renovate renovate bot changed the title chore(deps): update dependency pypdf to v6.7.1 [security] chore(deps): update dependency pypdf to v6.7.4 [security] Mar 1, 2026
@renovate renovate bot force-pushed the renovate/pypi-pypdf-vulnerability branch from f85cacd to bdc81d7 Compare March 1, 2026 08:07
@renovate renovate bot temporarily deployed to Vespa Cloud CD March 1, 2026 08:08 Inactive
@renovate renovate bot force-pushed the renovate/pypi-pypdf-vulnerability branch from bdc81d7 to 45068b9 Compare March 4, 2026 18:18
@renovate renovate bot changed the title chore(deps): update dependency pypdf to v6.7.4 [security] chore(deps): update dependency pypdf to v6.7.5 [security] Mar 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thomasht86 thomasht86 Awaiting requested review from thomasht86

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants