Commit cc89c8c
authored
![utic-renovate[bot]](https://avatars.githubusercontent.com/in/2036612?v=4&size=40){kind=avatar}
fix(deps): Update security vulnerability in pypdf to v6.9.1 [SECURITY] (#4248)
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [pypdf](https://redirect.github.com/py-pdf/pypdf)
([changelog](https://pypdf.readthedocs.io/en/latest/meta/CHANGELOG.html))
| `6.7.3` → `6.9.1` |
|
|
### GitHub Vulnerability Alerts
####
[CVE-2026-28351](https://redirect.github.com/py-pdf/pypdf/security/advisories/GHSA-f2v5-7jq9-h8cg)
### Impact
An attacker who uses this vulnerability can craft a PDF which leads to
large memory usage. This requires parsing the content stream using the
RunLengthDecode filter.
### Patches
This has been fixed in
[pypdf==6.7.4](https://redirect.github.com/py-pdf/pypdf/releases/tag/6.7.4).
### Workarounds
If you cannot upgrade yet, consider applying the changes from PR
[#​3664](https://redirect.github.com/py-pdf/pypdf/pull/3664).
####
[CVE-2026-28804](https://redirect.github.com/py-pdf/pypdf/security/advisories/GHSA-9m86-7pmv-2852)
### Impact
An attacker who uses this vulnerability can craft a PDF which leads to
long runtimes. This requires accessing a stream which uses the
`/ASCIIHexDecode` filter.
### Patches
This has been fixed in
[pypdf==6.7.5](https://redirect.github.com/py-pdf/pypdf/releases/tag/6.7.5).
### Workarounds
If you cannot upgrade yet, consider applying the changes from PR
[#​3666](https://redirect.github.com/py-pdf/pypdf/pull/3666).
####
[CVE-2026-31826](https://redirect.github.com/py-pdf/pypdf/security/advisories/GHSA-hqmh-ppp3-xvm7)
### Impact
An attacker who uses this vulnerability can craft a PDF which leads to
large memory usage. This requires parsing a content stream with a rather
large `/Length` value, regardless of the actual data length inside the
stream.
### Patches
This has been fixed in
[pypdf==6.8.0](https://redirect.github.com/py-pdf/pypdf/releases/tag/6.8.0).
### Workarounds
If you cannot upgrade yet, consider applying the changes from PR
[#​3675](https://redirect.github.com/py-pdf/pypdf/pull/3675).
As far as we are aware, this mostly affects reading from buffers of
unknown size, as returned by `open("file.pdf", mode="rb")` for example.
Passing a file path or a `BytesIO` buffer to *pypdf* instead does not
seem to trigger the vulnerability.
####
[CVE-2026-33123](https://redirect.github.com/py-pdf/pypdf/security/advisories/GHSA-qpxp-75px-xjcp)
### Impact
An attacker who uses this vulnerability can craft a PDF which leads to
long runtimes and/or large memory usage. This requires accessing an
array-based stream with lots of entries.
### Patches
This has been fixed in
[pypdf==6.9.1](https://redirect.github.com/py-pdf/pypdf/releases/tag/6.9.1).
### Workarounds
If you cannot upgrade yet, consider applying the changes from PR
[#​3686](https://redirect.github.com/py-pdf/pypdf/pull/3686).
---
### Release Notes
<details>
<summary>py-pdf/pypdf (pypdf)</summary>
###
[`v6.9.1`](https://redirect.github.com/py-pdf/pypdf/blob/HEAD/CHANGELOG.md#Version-691-2026-03-17)
[Compare
Source](https://redirect.github.com/py-pdf/pypdf/compare/6.9.0...6.9.1)
##### Security (SEC)
- Improve performance and limit length of array-based content streams
([#​3686](https://redirect.github.com/py-pdf/pypdf/issues/3686))
[Full
Changelog](https://redirect.github.com/py-pdf/pypdf/compare/6.9.0...6.9.1)
###
[`v6.9.0`](https://redirect.github.com/py-pdf/pypdf/blob/HEAD/CHANGELOG.md#Version-691-2026-03-17)
[Compare
Source](https://redirect.github.com/py-pdf/pypdf/compare/6.8.0...6.9.0)
##### Security (SEC)
- Improve performance and limit length of array-based content streams
([#​3686](https://redirect.github.com/py-pdf/pypdf/issues/3686))
[Full
Changelog](https://redirect.github.com/py-pdf/pypdf/compare/6.9.0...6.9.1)
###
[`v6.8.0`](https://redirect.github.com/py-pdf/pypdf/blob/HEAD/CHANGELOG.md#Version-690-2026-03-15)
[Compare
Source](https://redirect.github.com/py-pdf/pypdf/compare/6.7.5...6.8.0)
##### New Features (ENH)
- Expose /Perms verification result on Encryption object
([#​3672](https://redirect.github.com/py-pdf/pypdf/issues/3672))
##### Performance Improvements (PI)
- Fix O(n²) performance in NameObject read/write
([#​3679](https://redirect.github.com/py-pdf/pypdf/issues/3679))
- Batch-parse all objects in ObjStm on first access
([#​3677](https://redirect.github.com/py-pdf/pypdf/issues/3677))
##### Bug Fixes (BUG)
- Avoid sharing array-based content streams between pages
([#​3681](https://redirect.github.com/py-pdf/pypdf/issues/3681))
- Avoid accessing invalid page when inserting blank page under some
conditions
([#​3529](https://redirect.github.com/py-pdf/pypdf/issues/3529))
[Full
Changelog](https://redirect.github.com/py-pdf/pypdf/compare/6.8.0...6.9.0)
###
[`v6.7.5`](https://redirect.github.com/py-pdf/pypdf/blob/HEAD/CHANGELOG.md#Version-680-2026-03-09)
[Compare
Source](https://redirect.github.com/py-pdf/pypdf/compare/6.7.4...6.7.5)
##### Security (SEC)
- Limit allowed `/Length` value of stream
([#​3675](https://redirect.github.com/py-pdf/pypdf/issues/3675))
##### New Features (ENH)
- Add /IRT (in-reply-to) support for markup annotations
([#​3631](https://redirect.github.com/py-pdf/pypdf/issues/3631))
##### Documentation (DOC)
- Avoid using `PageObject.replace_contents` on PdfReader
([#​3669](https://redirect.github.com/py-pdf/pypdf/issues/3669))
- Document how to disable jbig2dec calls
[Full
Changelog](https://redirect.github.com/py-pdf/pypdf/compare/6.7.5...6.8.0)
###
[`v6.7.4`](https://redirect.github.com/py-pdf/pypdf/blob/HEAD/CHANGELOG.md#Version-675-2026-03-02)
[Compare
Source](https://redirect.github.com/py-pdf/pypdf/compare/6.7.3...6.7.4)
##### Security (SEC)
- Improve the performance of the ASCIIHexDecode filter
([#​3666](https://redirect.github.com/py-pdf/pypdf/issues/3666))
[Full
Changelog](https://redirect.github.com/py-pdf/pypdf/compare/6.7.4...6.7.5)
</details>
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4xMCIsInVwZGF0ZWRJblZlciI6IjQyLjkyLjEwIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJzZWN1cml0eSJdfQ==-->
Co-authored-by: utic-renovate[bot] <235200891+utic-renovate[bot]@users.noreply.github.com>1 parent cb16853 commit cc89c8c
3 files changed
Lines changed: 13 additions & 4 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
1 | 6 | | |
2 | 7 | | |
3 | 8 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | | - | |
| 1 | + | |
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
0 commit comments