VDB
DEBIAN-CVE-2025-55197
DEBIAN-CVE-2025-55197
PUBLISHED
CVSS 7.5 HIGH
pypdf is a free and open-source pure-python PDF library. Prior to version 6.0.0, an attacker can craft a PDF which leads to the RAM being exhausted. This requires just reading the file if a series of FlateDecode filters is used on a malicious cross-reference stream. Other content streams are affected on explicit access. This issue has been fixed in 6.0.0. If an update is not possible, a workaround involves including the fixed code from pypdf.filters.decompress into the existing filters file.
Risk Scores
CVSS v3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:14 | pypdf | 0, 5.4.0-1, 0 |
| Debian:13 | pypdf | 5.4.0-1, 6.9.0-1, 0 |
| Debian:12 | pypdf | 4.0.1-1, 4.0.2-1, 4.1.0-1 |
| Debian:11 | pypdf2 | 2.9.0-1, 2.12.1-2, 2.12.1-3 |
| Debian:12 | pypdf2 | 0, 2.12.1-4, 2.12.1-3 |
Timeline
- Aug 13, 2025 CVE Published
- Apr 28, 2026 CVE Updated