Skip to content

Possible long runtimes for malformed startxref

Moderate
stefan6419846 published GHSA-4f6g-68pf-7vhv Jan 9, 2026

Package

pip pypdf (pip)

Affected versions

< 6.6.0

Patched versions

>= 6.6.0

Description

Impact

An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for invalid startxref entries. When rebuilding the cross-reference table, PDF files with lots of whitespace characters become problematic. Only the non-strict reading mode is affected.

Patches

This has been fixed in pypdf==6.6.0.

Workarounds

from pypdf import PdfReader, PdfWriter


# Instead of
reader = PdfReader("file.pdf")
# use the strict mode:
reader = PdfReader("file.pdf", strict=True)

# Instead of
writer = PdfWriter(clone_from="file.pdf")
# use an explicit strict reader:
writer = PdfWriter(clone_from=PdfReader("file.pdf", strict=True))

References

This issue has been fixed in #3594.

Severity

Moderate

CVE ID

CVE-2026-22691

Weaknesses

Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. Learn more on MITRE.

Credits