Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered PDF triggers memory exhaustion with no authentication or user interaction required; only availability is impacted.
Primary rating from Vendor (https://github.com/py-pdf/pypdf).
CVSS VectorVendor: https://github.com/py-pdf/pypdf
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Blast Radius
ecosystem impact- 2 pypi packages depend on pypdf (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 6.12.2.
DescriptionCVE.org
Impact
An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires extracting the text of a page which contains a form XObject with self-references.
Patches
This has been fixed in pypdf==6.12.2.
Workarounds
If you cannot upgrade yet, consider applying the changes from PR #3805.
AnalysisAI
Uncontrolled resource consumption in pypdf versions before 6.12.2 allows any attacker who can cause an application to call extract_text() on a crafted PDF to trigger unbounded memory growth, resulting in denial of service. The vulnerability arises specifically during form XObject traversal: a PDF containing a self-referencing XObject resource dictionary causes the extraction code to recurse infinitely without cycle detection. No public exploit code has been identified at time of analysis, and this vulnerability does not appear in the CISA KEV catalog.
Technical ContextAI
pypdf is a pure-Python PDF manipulation library distributed via pip (pkg:pip/pypdf). The affected code path is the _extract_text() and extract_xform_text() methods in pypdf/_page.py. PDF form XObjects (dictionary entries with /Subtype /Form) are reusable content streams embedded in a page's resource dictionary that the text extractor recursively processes. Prior to the fix, no visited-node tracking was maintained across recursive calls, so a form XObject whose /Resources /XObject dictionary included a reference back to itself could drive infinite recursion and unbounded heap allocation. CWE-400 (Uncontrolled Resource Consumption) precisely describes the root cause: the code placed no upper bound on XObject traversal depth or memory consumption. The PR #3805 fix introduces a known_ids set (keyed on Python object identity via id(xform)) threaded through the call chain; detection of a cycle causes the code to emit a warning and return an empty string rather than recurse.
RemediationAI
Upgrade to pypdf 6.12.2 or later, released at https://github.com/py-pdf/pypdf/releases/tag/6.12.2 - this is the definitive fix. If an immediate upgrade is not possible, the patch changes from PR #3805 (https://github.com/py-pdf/pypdf/pull/3805) can be applied manually to pypdf/_page.py; the change threads a known_ids set through _extract_text() and extract_xform_text() to detect and short-circuit cyclic XObject references. As a compensating control without code changes, enforce per-process memory limits before calling extract_text() on untrusted PDFs using OS-level ulimits or container memory caps (e.g., Docker --memory); this limits blast radius but does not prevent the vulnerability. Isolating extraction in a subprocess with a memory ceiling and timeout is the most robust compensating control - the trade-off is added latency and process-spawn overhead. Disabling or gating extract_text() calls on PDFs from untrusted sources is also effective if text extraction is not required for all inputs.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38356
GHSA-j543-4vmf-qm7v