CVE-2025-62708 – CVE-2025-62708 is a memory exhaustion vulnerabi... (How to Fix)

📋 TL;DR

CVE-2025-62708 is a memory exhaustion vulnerability in pypdf, a popular Python PDF library. Attackers can craft malicious PDFs with LZWDecode filters that cause excessive memory consumption when parsed. This affects any application using vulnerable versions of pypdf to process PDF files.

💻 Affected Systems

Products:

pypdf

Versions: All versions prior to 6.1.3

Operating Systems: All platforms running Python

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects parsing of PDF content streams using LZWDecode filter. Requires PDF processing functionality.

📦 What is this software?

Pypdf by Pypdf Project

View all CVEs affecting Pypdf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Denial of service causing application crashes, system instability, or resource exhaustion leading to service unavailability.

🟠

Likely Case

Application crashes or degraded performance when processing malicious PDFs, potentially disrupting PDF-related functionality.

🟢

If Mitigated

Minimal impact with proper input validation and resource limits, though PDF processing may fail gracefully.

🌐 Internet-Facing: HIGH - PDF processing is common in web applications, and attackers can easily upload malicious files.

🏢 Internal Only: MEDIUM - Internal users could exploit, but requires PDF processing functionality and malicious file upload/processing.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only a crafted PDF file. No authentication needed if PDF processing is exposed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.1.3

Vendor Advisory: https://github.com/py-pdf/pypdf/security/advisories/GHSA-jfx9-29x2-rv3j

Restart Required: No

Instructions:

1. Update pypdf: pip install --upgrade pypdf==6.1.3
2. Verify installation: pip show pypdf
3. Test PDF processing functionality after update.

🔧 Temporary Workarounds

Disable LZWDecode Filter Processing

all

Modify code to reject or skip PDFs using LZWDecode filters before parsing.

# Python code to check for LZWDecode filter
# Inspect PDF metadata before processing

Implement Resource Limits

linux

Set memory limits on PDF processing functions using resource management.

# Use Python's resource module or container limits
import resource
resource.setrlimit(resource.RLIMIT_AS, (max_memory, max_memory))

🧯 If You Can't Patch

Implement strict input validation to reject suspicious PDF files before processing.
Deploy PDF processing in isolated containers with strict memory limits and monitoring.

🔍 How to Verify

Check if Vulnerable:

Check pypdf version: pip show pypdf | grep Version. If version is <6.1.3, system is vulnerable.

Check Version:

pip show pypdf | grep Version

Verify Fix Applied:

Confirm pypdf version is 6.1.3 or higher and test PDF processing with known safe files.

📡 Detection & Monitoring

Log Indicators:

Application crashes during PDF processing
High memory usage spikes from PDF-related processes
Errors mentioning LZWDecode or memory allocation

Network Indicators:

Multiple PDF uploads to vulnerable endpoints
Unusual PDF file sizes or patterns

SIEM Query:

source="application.log" AND ("pypdf" OR "PDF") AND ("crash" OR "memory" OR "LZWDecode")

📊 Metadata

CVE ID: CVE-2025-62708

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-409

EPSS Score: 0.08% exploit probability (22.6th percentile)

Published: October 22, 2025

Last Updated: October 27, 2025

🔗 References

https://github.com/py-pdf/pypdf/commit/e51d07807ffcdaf18077b9486dadb3dc05b368da Patch
https://github.com/py-pdf/pypdf/pull/3502 Patch
https://github.com/py-pdf/pypdf/releases/tag/6.1.3 Release Notes
https://github.com/py-pdf/pypdf/security/advisories/GHSA-jfx9-29x2-rv3j Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-62708, you might also want to check these: