Fix pypdf vulnerabilities by updating to safe version#1374
Merged
Conversation
CrystalPea
force-pushed
the
rp-update-pypdf
branch
3 times, most recently
from
08e267b to
bc621a0
Compare
CrystalPea
changed the title
We upgrade pypdf to 6.12.0 which fixes several vulnerabilities: 1) https://github.com/alphagov/notifications-utils/security/dependabot/40 - when we use the pdf reader we are vulnerable to an expansion attack with manipulated XMP metadata entity declarations that exhausts memory and causes a denial of service. 2) https://github.com/alphagov/notifications-utils/security/dependabot/45 - when we use the PdfReader we are vulnerable to RAM exhaustion attack by manipulated FlateDecode image dimensions. This can cause resource overuse and denial of service. 3) https://github.com/alphagov/notifications-utils/security/dependabot/44 - when we use the PdfReader we are vulnerable to RAM exhaustion attack by manipulated FlateDecode predictor parameters. This can cause resource overuse and denial of service. 4) https://github.com/alphagov/notifications-utils/security/dependabot/55 - when we use the PdfReader we are vulnerable to artificially extended runtimes, leading to slower service / denial of service / larger use of resouces. 5) https://github.com/alphagov/notifications-utils/security/dependabot/42 - when we use the PdfReader we are vulnerable to artificially extended runtimes, leading to slower service / denial of service / larger use of resouces. The risk of us being exploited by these vulnerabilities is fairly low (as only our service users provide PDFs vs general public) but it is not zero and could DoS any app components that are using pypdf to read pdfs all tests in utils pass with the upgrade. The upgrade is for requirements_for_test only, because to update the minimum version in pyproject.toml, and for that to be safely consumed by the repos that use utils, including template-preview, we need extensive testing. Dove team will be working on that. Co-authored-by: Mervi Tyczynska <mervi.tyczynska@digital.cabinet-office.gov.uk>
CrystalPea
force-pushed
the
rp-update-pypdf
branch
from
bc621a0 to
593af2a
Compare
klssmith
approved these changes
Jun 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
We upgrade pypdf to 6.12.0 which fixes several vulnerabilities:
https://github.com/alphagov/notifications-utils/security/dependabot/40 - when we use the pdf reader we are vulnerable to an expansion attack with Manipulated XMP metadata entity declarations that exhausts memory and causes a denial of service.
https://github.com/alphagov/notifications-utils/security/dependabot/45 - when we use the PdfReader we are vulnerable to RAM exhaustion attack by manipulated FlateDecode image dimensions. This can cause resource overuse and denial of service.
https://github.com/alphagov/notifications-utils/security/dependabot/44 - when we use the PdfReader we are vulnerable to RAM exhaustion attack by manipulated FlateDecode predictor parameters. This can cause resource overuse and denial of service.
https://github.com/alphagov/notifications-utils/security/dependabot/55 - when we use the PdfReader we are vulnerable to artificially extended runtimes, leading to slower service / denial of service / larger use of resouces.
https://github.com/alphagov/notifications-utils/security/dependabot/42 - when we use the PdfReader we are vulnerable to artificially extended runtimes, leading to slower service / denial of service / larger use of resouces.
The risk of us being exploited by these vulnerabilities is fairly low (as only our service users provide PDFs vs general public) but it is not zero and could DoS any app components that are using pypdf to read pdfs
all tests in utils pass with the upgrade
All vulnerabilities also added to the spreadsheet: https://docs.google.com/spreadsheets/d/1g1Lji_1-jPx6MUT9kRZMM8riZhzkY-s0IlP-RKSoVlA/edit?usp=sharing