pypdf - Debian Package Tracker

general

source: pypdf (main)
version: 5.4.0-1
maintainer: Debian Python Team (DMD)
uploaders: Daniel Kahn Gillmor [DMD] – Scott Kitterman [DMD]
arch: all
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 3.4.1-1+deb12u1
stable: 5.4.0-1
testing: 5.4.0-1
unstable: 5.4.0-1

versioned links

3.4.1-1+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.4.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

python3-pypdf

action needed

A new upstream version is available: 6.6.0 high

A new upstream version 6.6.0 is available, you should consider packaging it.

Created: 2025-05-12 Last update: 2026-01-11 21:17

5 security issues in trixie high

There are 5 open security issues in trixie.

2 important issues:

CVE-2026-22690: pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for missing /Root object with large /Size values. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for actually invalid files. This can be achieved by omitting the /Root entry in the trailer, while using a rather large /Size value. Only the non-strict reading mode is affected. This issue has been patched in version 6.6.0.
CVE-2026-22691: pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for malformed startxref. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for invalid startxref entries. When rebuilding the cross-reference table, PDF files with lots of whitespace characters become problematic. Only the non-strict reading mode is affected. Only the non-strict reading mode is affected. This issue has been patched in version 6.6.0.

3 issues left for the package maintainer to handle:

CVE-2025-55197: (needs triaging) pypdf is a free and open-source pure-python PDF library. Prior to version 6.0.0, an attacker can craft a PDF which leads to the RAM being exhausted. This requires just reading the file if a series of FlateDecode filters is used on a malicious cross-reference stream. Other content streams are affected on explicit access. This issue has been fixed in 6.0.0. If an update is not possible, a workaround involves including the fixed code from pypdf.filters.decompress into the existing filters file.
CVE-2025-62707: (needs triaging) pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires parsing the content stream of a page which has an inline image using the DCTDecode filter. This has been fixed in pypdf version 6.1.3.
CVE-2025-62708: (needs triaging) pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream of a page using the LZWDecode filter. This has been fixed in pypdf version 6.1.3.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-08-15 Last update: 2026-01-11 06:30

5 security issues in sid high

There are 5 open security issues in sid.

5 important issues:

CVE-2025-55197: pypdf is a free and open-source pure-python PDF library. Prior to version 6.0.0, an attacker can craft a PDF which leads to the RAM being exhausted. This requires just reading the file if a series of FlateDecode filters is used on a malicious cross-reference stream. Other content streams are affected on explicit access. This issue has been fixed in 6.0.0. If an update is not possible, a workaround involves including the fixed code from pypdf.filters.decompress into the existing filters file.
CVE-2025-62707: pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires parsing the content stream of a page which has an inline image using the DCTDecode filter. This has been fixed in pypdf version 6.1.3.
CVE-2025-62708: pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream of a page using the LZWDecode filter. This has been fixed in pypdf version 6.1.3.
CVE-2026-22690: pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for missing /Root object with large /Size values. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for actually invalid files. This can be achieved by omitting the /Root entry in the trailer, while using a rather large /Size value. Only the non-strict reading mode is affected. This issue has been patched in version 6.6.0.
CVE-2026-22691: pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for malformed startxref. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for invalid startxref entries. When rebuilding the cross-reference table, PDF files with lots of whitespace characters become problematic. Only the non-strict reading mode is affected. Only the non-strict reading mode is affected. This issue has been patched in version 6.6.0.

Created: 2025-08-15 Last update: 2026-01-11 06:30

5 security issues in forky high

There are 5 open security issues in forky.

5 important issues:

CVE-2025-55197: pypdf is a free and open-source pure-python PDF library. Prior to version 6.0.0, an attacker can craft a PDF which leads to the RAM being exhausted. This requires just reading the file if a series of FlateDecode filters is used on a malicious cross-reference stream. Other content streams are affected on explicit access. This issue has been fixed in 6.0.0. If an update is not possible, a workaround involves including the fixed code from pypdf.filters.decompress into the existing filters file.
CVE-2025-62707: pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires parsing the content stream of a page which has an inline image using the DCTDecode filter. This has been fixed in pypdf version 6.1.3.
CVE-2025-62708: pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream of a page using the LZWDecode filter. This has been fixed in pypdf version 6.1.3.
CVE-2026-22690: pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for missing /Root object with large /Size values. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for actually invalid files. This can be achieved by omitting the /Root entry in the trailer, while using a rather large /Size value. Only the non-strict reading mode is affected. This issue has been patched in version 6.6.0.
CVE-2026-22691: pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for malformed startxref. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for invalid startxref entries. When rebuilding the cross-reference table, PDF files with lots of whitespace characters become problematic. Only the non-strict reading mode is affected. Only the non-strict reading mode is affected. This issue has been patched in version 6.6.0.

Created: 2025-08-15 Last update: 2026-01-11 06:30

3 security issues in bookworm high

There are 3 open security issues in bookworm.

2 important issues:

CVE-2026-22690: pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for missing /Root object with large /Size values. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for actually invalid files. This can be achieved by omitting the /Root entry in the trailer, while using a rather large /Size value. Only the non-strict reading mode is affected. This issue has been patched in version 6.6.0.
CVE-2026-22691: pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for malformed startxref. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for invalid startxref entries. When rebuilding the cross-reference table, PDF files with lots of whitespace characters become problematic. Only the non-strict reading mode is affected. Only the non-strict reading mode is affected. This issue has been patched in version 6.6.0.

1 issue left for the package maintainer to handle:

CVE-2025-55197: (needs triaging) pypdf is a free and open-source pure-python PDF library. Prior to version 6.0.0, an attacker can craft a PDF which leads to the RAM being exhausted. This requires just reading the file if a series of FlateDecode filters is used on a malicious cross-reference stream. Other content streams are affected on explicit access. This issue has been fixed in 6.0.0. If an update is not possible, a workaround involves including the fixed code from pypdf.filters.decompress into the existing filters file.

You can find information about how to handle this issue in the security team's documentation.

Created: 2025-08-15 Last update: 2026-01-11 06:30

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.3 instead of 4.7.0).

Created: 2025-02-21 Last update: 2025-12-23 20:00

news

[rss feed]

[2025-04-10] pypdf 5.4.0-1 MIGRATED to testing (Debian testing watch)
[2025-04-02] Accepted pypdf 5.4.0-1 (source) into unstable (Santiago Ruano Rincón)
[2024-07-24] pypdf 4.3.1-1 MIGRATED to testing (Debian testing watch)
[2024-07-22] Accepted pypdf 4.3.1-1 (source) into unstable (Scott Kitterman) (signed by: Donald Scott Kitterman)
[2024-04-11] pypdf 4.2.0-1 MIGRATED to testing (Debian testing watch)
[2024-04-09] Accepted pypdf 4.2.0-1 (source) into unstable (Scott Kitterman) (signed by: Donald Scott Kitterman)
[2024-03-18] pypdf 4.1.0-1 MIGRATED to testing (Debian testing watch)
[2024-03-08] Accepted pypdf 4.1.0-1 (source) into unstable (Scott Kitterman) (signed by: Donald Scott Kitterman)
[2024-02-26] Accepted pypdf 3.4.1-1~bpo11+1 (source all) into bullseye-backports (Debian FTP Masters) (signed by: bage@debian.org)
[2024-02-23] pypdf 4.0.2-1 MIGRATED to testing (Debian testing watch)
[2024-02-21] Accepted pypdf 4.0.2-1 (source) into unstable (Scott Kitterman) (signed by: Donald Scott Kitterman)
[2024-02-06] pypdf 4.0.1-1 MIGRATED to testing (Debian testing watch)
[2024-02-01] Accepted pypdf 4.0.1-1 (source) into unstable (Scott Kitterman) (signed by: Donald Scott Kitterman)
[2024-01-27] pypdf 4.0.0-1 MIGRATED to testing (Debian testing watch)
[2024-01-23] Accepted pypdf 4.0.0-1 (source) into unstable (Scott Kitterman) (signed by: Donald Scott Kitterman)
[2024-01-20] Accepted pypdf 3.4.1-1+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Donald Scott Kitterman)
[2024-01-19] Accepted pypdf 4.0.0-1~exp1 (source) into experimental (Scott Kitterman) (signed by: Donald Scott Kitterman)
[2024-01-17] pypdf 3.17.4-1 MIGRATED to testing (Debian testing watch)
[2024-01-14] Accepted pypdf 3.17.4-1 (source) into unstable (Scott Kitterman) (signed by: Donald Scott Kitterman)
[2023-02-25] pypdf 3.4.1-1 MIGRATED to testing (Debian testing watch)
[2023-02-14] Accepted pypdf 3.4.1-1 (source) into unstable (Daniel Kahn Gillmor) (signed by: dkg@debian.org)
[2023-01-29] pypdf 3.3.0-3 MIGRATED to testing (Debian testing watch)
[2023-01-26] Accepted pypdf 3.3.0-3 (source) into unstable (Daniel Kahn Gillmor) (signed by: dkg@debian.org)
[2023-01-26] Accepted pypdf 3.3.0-2 (source) into unstable (Daniel Kahn Gillmor) (signed by: dkg@debian.org)
[2023-01-23] Accepted pypdf 3.3.0-1 (source) into unstable (Daniel Kahn Gillmor) (signed by: dkg@debian.org)
[2023-01-20] Accepted pypdf 3.2.1-1 (source all) into unstable (Debian FTP Masters) (signed by: dkg@debian.org)

bugs [bug history graph]

all: 4
RC: 0
I&N: 4
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 5.4.0-1