N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-m449-cwjh-6pw7

GHSA-m449-cwjh-6pw7: pypdf's LZWDecode streams be manipulated to exhaust RAM

Impact

An attacker who uses this vulnerability can craft a PDF which leads to a memory usage of up to 1 GB per stream. This requires parsing the content stream of a page using the LZWDecode filter.

This is a follow up to GHSA-jfx9-29x2-rv3j to align the default limit with the one for zlib.

Patches

This has been fixed in pypdf==6.4.0.

Workarounds

If users cannot upgrade yet, use the line below to overwrite the default in their code:

pypdf.filters.LZW_MAX_OUTPUT_LENGTH = 75_000_000

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-m449-cwjh-6pw7

GHSA-m449-cwjh-6pw7:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
pypdf	pip	< 6.4.0	6.4.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the handling of LZW-encoded streams within PDF files. The pypdf library's LzwCodec class had a default maximum output length of 1 GB, which could be exploited by a crafted PDF to cause excessive memory allocation, leading to a denial-of-service. The analysis of the patch commit 96186725e5e6f237129a58a97cd19204a9ce40b2 reveals that the vulnerability was addressed by lowering this default limit.

The primary vulnerable function is LzwCodec.decode, which performs the actual decompression. Although not directly shown in the patch, its behavior is governed by the max_output_length parameter set in the LzwCodec.__init__ constructor. The modification of the __init__ method in the patch is direct evidence of the mitigation strategy. Therefore, both LzwCodec.__init__ (where the fix is applied) and LzwCodec.decode (where the vulnerability manifests at runtime) are identified as the key functions related to this vulnerability.

Vulnerable functions

LzwCodec.__init__

pypdf/_codecs/_codecs.py

The constructor of the `LzwCodec` class was modified to reduce the default `max_output_length` from 1,000,000,000 to 75,000,000. This high default value was the root cause of the vulnerability, as it allowed for excessive memory allocation during decompression.

LzwCodec.decode

pypdf/_codecs/_codecs.py

The `decode` method of the `LzwCodec` class is responsible for decompressing LZW-encoded data. Before the patch, this method could be forced to allocate up to 1 GB of memory when processing a malicious PDF, leading to a denial-of-service. This function is the runtime indicator of the vulnerability, as it would be the one consuming excessive memory during an attack.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-m449-cwjh-6pw7: pypdf's LZWDecode streams be manipulated to exhaust RAM

Impact

Patches

Workarounds

GHSA-m449-cwjh-6pw7:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

Vulnerability Intelligence
Miggo AI

Detect and Respond To Threats Faster.

Technical Details

N/A

N/A

Basic Information

Basic Information

GHSA-m449-cwjh-6pw7: pypdf's LZWDecode streams be manipulated to exhaust RAM

Impact

Patches

Workarounds

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-m449-cwjh-6pw7: pypdf's LZWDecode streams be manipulated to exhaust RAM

Impact

Patches

Workarounds

GHSA-m449-cwjh-6pw7:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

Vulnerability IntelligenceMiggo AI

Technical Details

N/A

N/A

Basic Information

Basic Information

GHSA-m449-cwjh-6pw7: pypdf's LZWDecode streams be manipulated to exhaust RAM

Impact

Patches

Workarounds

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI