Technologyglobal✓ verified · 90%

pypdf: Missing stream length values ignore defined limits

Name: pypdf: Missing stream length values ignore defined limits
Start: 2026-06-18T14:28:49Z
Location: Global (internet)

When: 2026-06-18 14:28 UTC
Where: Global (internet)
Category: cyber_advisory · pip

### Impact An attacker who uses this vulnerability can craft a PDF which leads to large memory usage, as `MAX_DECLARED_STREAM_LENGTH` is sometimes ignored. This requires parsing a content stream without a `/Length` value. ### Patches This has been fixed in [pypdf==6.13.3](https://github.com/py-pdf/pypdf/releases/tag/6.13.3). ### Workarounds If you cannot upgrade yet, consider applying the changes from PR [#3871](https://github.com/py-pdf/pypdf/pull/3871).

Sources

GitHub Advisory Database ↗ · first seen 2026-06-18 14:28 UTC

Defaxon links out to the original reporting and never republishes article text.

Correlated events

Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.

No correlated events found in the current window. As more events arrive, connections form automatically.

← Back to the live map