Update dependency pypdf to v6.10.2 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Update	Change	OpenSSF
pypdf (changelog)	minor	==6.9.1 → ==6.10.2

GitHub Vulnerability Alerts

CVE-2026-33699

Impact

An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires reading a file in non-strict mode.

Patches

This has been fixed in pypdf==6.9.2.

Workarounds

If users cannot upgrade yet, consider applying the changes from PR #​3693.

Severity

• CVSS Score: 4.6 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

CVE-2026-40260

Impact

An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the XMP metadata.

Patches

This has been fixed in pypdf==6.10.0.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3724.

Severity

• CVSS Score: 6.9 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

GHSA-jj6c-8h6c-hppx

Impact

An attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with wrong large /Size values or object streams with wrong large /N values.

Patches

This has been fixed in pypdf==6.10.1.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3733.

Severity

• CVSS Score: 4.8 / 10 (Medium)
• Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

GHSA-4pxv-j86v-mhcw

Impact

An attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires loading a PDF with a large trailer /Size value in incremental mode.

Patches

This has been fixed in pypdf==6.10.2.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3735.

Severity

• CVSS Score: 6.8 / 10 (Medium)
• Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

GHSA-7gw9-cf7v-778f

Impact

An attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing a stream compressed using /FlateDecode with a /Predictor unequal 1 and large predictor parameters.

Patches

This has been fixed in pypdf==6.10.2.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3734.

Severity

• CVSS Score: 6.8 / 10 (Medium)
• Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

GHSA-x284-j5p8-9c5p

Impact

An attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing an image using /FlateDecode with large size values.

Patches

This has been fixed in pypdf==6.10.2.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3734.

Severity

• CVSS Score: 6.8 / 10 (Medium)
• Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

---

pypdf: Possible infinite loop during recovery attempts in DictionaryObject.read_from_stream

CVE-2026-33699 / GHSA-87mj-5ggw-8qc3

More information

Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires reading a file in non-strict mode.

Patches

This has been fixed in pypdf==6.9.2.

Workarounds

If users cannot upgrade yet, consider applying the changes from PR #​3693.

Severity

• CVSS Score: 4.6 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

References

• https://github.com/py-pdf/pypdf/security/advisories/GHSA-87mj-5ggw-8qc3
• https://nvd.nist.gov/vuln/detail/CVE-2026-33699
• https://github.com/py-pdf/pypdf/pull/3693
• https://github.com/py-pdf/pypdf
• https://github.com/py-pdf/pypdf/releases/tag/6.9.2

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

pypdf: Manipulated XMP metadata entity declarations can exhaust RAM

CVE-2026-40260 / GHSA-3crg-w4f6-42mx

More information

Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the XMP metadata.

Patches

This has been fixed in pypdf==6.10.0.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3724.

Severity

• CVSS Score: 6.9 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

• https://github.com/py-pdf/pypdf/security/advisories/GHSA-3crg-w4f6-42mx
• https://github.com/py-pdf/pypdf/pull/3724
• https://github.com/py-pdf/pypdf/commit/b15a374e5ca648d4878e57c3b2c0551e7f8cc7f8
• https://github.com/py-pdf/pypdf
• https://github.com/py-pdf/pypdf/releases/tag/6.10.0

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

pypdf has long runtimes for wrong size values in cross-reference and object streams

GHSA-jj6c-8h6c-hppx

More information

Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with wrong large /Size values or object streams with wrong large /N values.

Patches

This has been fixed in pypdf==6.10.1.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3733.

Severity

• CVSS Score: 4.8 / 10 (Medium)
• Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

• https://github.com/py-pdf/pypdf/security/advisories/GHSA-jj6c-8h6c-hppx
• https://github.com/py-pdf/pypdf/pull/3733
• https://github.com/py-pdf/pypdf
• https://github.com/py-pdf/pypdf/releases/tag/6.10.1

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

pypdf: Possible long runtimes for wrong size values in incremental mode

GHSA-4pxv-j86v-mhcw

More information

Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires loading a PDF with a large trailer /Size value in incremental mode.

Patches

This has been fixed in pypdf==6.10.2.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3735.

Severity

• CVSS Score: 6.8 / 10 (Medium)
• Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/py-pdf/pypdf/security/advisories/GHSA-4pxv-j86v-mhcw
• https://github.com/py-pdf/pypdf/pull/3735
• https://github.com/py-pdf/pypdf
• https://github.com/py-pdf/pypdf/releases/tag/6.10.2

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

pypdf: Manipulated FlateDecode predictor parameters can exhaust RAM

GHSA-7gw9-cf7v-778f

More information

Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing a stream compressed using /FlateDecode with a /Predictor unequal 1 and large predictor parameters.

Patches

This has been fixed in pypdf==6.10.2.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3734.

Severity

• CVSS Score: 6.8 / 10 (Medium)
• Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/py-pdf/pypdf/security/advisories/GHSA-7gw9-cf7v-778f
• https://github.com/py-pdf/pypdf/pull/3734
• https://github.com/py-pdf/pypdf
• https://github.com/py-pdf/pypdf/releases/tag/6.10.2

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

pypdf: Manipulated FlateDecode image dimensions can exhaust RAM

GHSA-x284-j5p8-9c5p

More information

Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing an image using /FlateDecode with large size values.

Patches

This has been fixed in pypdf==6.10.2.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3734.

Severity

• CVSS Score: 6.8 / 10 (Medium)
• Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/py-pdf/pypdf/security/advisories/GHSA-x284-j5p8-9c5p
• https://github.com/py-pdf/pypdf/pull/3734
• https://github.com/py-pdf/pypdf
• https://github.com/py-pdf/pypdf/releases/tag/6.10.2

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

py-pdf/pypdf (pypdf)

v6.10.2

Compare Source

Security (SEC)

• Do not rely on possibly invalid /Size for incremental cloning (#​3735)
• Introduce limits for FlateDecode parameters and image decoding (#​3734)

Full Changelog

v6.10.1

Compare Source

Security (SEC)

• Do not rely on possibly invalid /Size for incremental cloning (#​3735)
• Introduce limits for FlateDecode parameters and image decoding (#​3734)

Full Changelog

v6.10.0

Compare Source

Security (SEC)

• Limit the allowed size of xref and object streams (#​3733)

Robustness (ROB)

• Consider strict mode setting for decryption errors (#​3731)

Documentation (DOC)

• Use new parameter names for compress_identical_objects

Full Changelog

v6.9.2

Compare Source

Security (SEC)

• Avoid infinite loop in read_from_stream for broken files (#​3693)

Robustness (ROB)

• Resolve UnboundLocalError for xobjs in _get_image (#​3684)

Full Changelog

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.