Skip to content

chore(deps): update pypdf to fix DoS vulnerabilities #4121

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Nov 12, 2025
Merged

chore(deps): update pypdf to fix DoS vulnerabilities #4121

merged 3 commits into from
Nov 12, 2025

Conversation

@crackcodecamp
Copy link
Contributor

@crackcodecamp crackcodecamp commented Nov 11, 2025
edited
Loading

Update pypdf dependency to address vulnerabilities causing potential denial of service through infinite loops or excessive memory usage when handling malicious PDFs. The update remains fully backward compatible, with no changes to the PdfReader API.

What does this PR do?

Fixes #4120

Test Plan

@crackcodecamp
fix: update pypdf to >=6.1.3 to address CVE-2025-62707
c7b423a 
Update pypdf dependency to fix CVE-2025-62707, a DoS vulnerability
allowing infinite loops when processing malicious PDFs.

- CVE-2025-62707: Infinite loop in DCTDecode inline image parsing
- CVE-2025-55197: RAM exhaustion via FlateDecode filter
- Backward compatible (PdfReader API unchanged)

Fixes llamastack#4120
@meta-cla
Copy link

meta-cla bot commented Nov 11, 2025

Hi @crackcodecamp!

Thank you for your pull request and welcome to our community.

Action Required

In order to merge any pull request (code, docs, etc.), we require contributors to sign our Contributor License Agreement, and we don't seem to have one on file for you.

Process

In order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA.

Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with CLA signed. The tagging process may take up to 1 hour after signing. Please give it that time before contacting us about it.

If you have received this in error or have any questions, please contact us at [email protected]. Thanks!

@crackcodecamp crackcodecamp changed the title fix: update pypdf to >=6.1.3 to address CVE-2025-62707 fix: update pypdf to >=6.1.3 Nov 11, 2025
@meta-cla
Copy link

meta-cla bot commented Nov 11, 2025

Thank you for signing our Contributor License Agreement. We can now accept your code for this (and any) Meta Open Source project. Thanks!

@meta-cla meta-cla bot added the CLA Signed This label is managed by the Meta Open Source bot. label Nov 11, 2025
@crackcodecamp crackcodecamp changed the title fix: update pypdf to >=6.1.3 chore(deps): update pypdf to fix DoS vulnerabilities Nov 11, 2025
@crackcodecamp
Copy link
Contributor Author

crackcodecamp commented Nov 11, 2025

@franciscojavierarceo As approved, who can merge it? Is there additional approvals required?

@franciscojavierarceo
Copy link
Collaborator

franciscojavierarceo commented Nov 11, 2025

will merge after CI passes

@crackcodecamp
Copy link
Contributor Author

crackcodecamp commented Nov 11, 2025
edited
Loading

@franciscojavierarceo The one CI check stuck for very long time, may be need to re-run. Could you please look into it?
Thanks!

@cdoern
Copy link
Contributor

cdoern commented Nov 11, 2025
edited
Loading

see #4119 , this should fix CI. But there are concerns of an actual deadlock in the conversations API, so this might be a bandaid fix

leseb
leseb approved these changes Nov 12, 2025
View reviewed changes
Copy link
Collaborator

@leseb leseb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CI failure is unrelated and being addressed, let's move forward, thanks!

@leseb leseb merged commit 539b9c0 into llamastack:main Nov 12, 2025
75 of 76 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@leseb leseb leseb approved these changes

@franciscojavierarceo franciscojavierarceo franciscojavierarceo approved these changes

@ashwinb ashwinb Awaiting requested review from ashwinb ashwinb is a code owner

@yanxi0830 yanxi0830 Awaiting requested review from yanxi0830 yanxi0830 is a code owner

@hardikjshah hardikjshah Awaiting requested review from hardikjshah hardikjshah is a code owner

@raghotham raghotham Awaiting requested review from raghotham raghotham is a code owner

@ehhuang ehhuang Awaiting requested review from ehhuang ehhuang is a code owner

@terrytangyuan terrytangyuan Awaiting requested review from terrytangyuan terrytangyuan is a code owner

@bbrowning bbrowning Awaiting requested review from bbrowning bbrowning is a code owner

@reluctantfuturist reluctantfuturist Awaiting requested review from reluctantfuturist reluctantfuturist is a code owner

@mattf mattf Awaiting requested review from mattf mattf is a code owner

@slekkala1 slekkala1 Awaiting requested review from slekkala1 slekkala1 is a code owner

Assignees

No one assigned

Labels

CLA Signed This label is managed by the Meta Open Source bot.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

pypdf 5.9.0 needs to update pypdf >= 6.1.3

4 participants

@crackcodecamp @franciscojavierarceo @cdoern @leseb