CVE-2025-66019 is a low severity vulnerability with a CVSS score of 0.0. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
An attacker who uses this vulnerability can craft a PDF which leads to a memory usage of up to 1 GB per stream. This requires parsing the content stream of a page using the LZWDecode filter.
This is a follow up to GHSA-jfx9-29x2-rv3j to align the default limit with the one for zlib.
This has been fixed in pypdf==6.4.0.
If users cannot upgrade yet, use the line below to overwrite the default in their code:
pypdf.filters.LZW_MAX_OUTPUT_LENGTH = 75_000_000
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.