CVE-2025-55197 is a medium-severity vulnerability affecting versions of the pypdf library prior to 6.0.0. pypdf is a widely used open-source pure-Python library for handling PDF files. The vulnerability arises from uncontrolled resource consumption (CWE-400) due to the way the library processes certain PDF streams, specifically those using a series of FlateDecode filters on maliciously crafted cross-reference streams. When such a PDF is read, the decompression process can exhaust the system's RAM, leading to denial of service conditions. The issue also affects other content streams upon explicit access. This vulnerability does not require any authentication or user interaction to be exploited, as simply reading the malicious PDF triggers the resource exhaustion. The root cause lies in the decompression filters implementation, which was fixed in version 6.0.0 of pypdf. For environments where upgrading is not immediately feasible, a workaround involves manually patching the decompression code by incorporating the fixed code from pypdf.filters.decompress into the existing filters file. There are no known exploits in the wild at this time, but the vulnerability is publicly disclosed and could be weaponized by attackers targeting systems that parse untrusted PDFs using vulnerable pypdf versions.

For European organizations, this vulnerability poses a risk primarily in environments where pypdf is used to process PDF files, such as document management systems, automated PDF processing workflows, or web applications that parse PDFs. An attacker could craft a malicious PDF that, when processed, consumes excessive memory, potentially causing application crashes or system instability. This could lead to denial of service, disrupting business operations, especially in sectors relying heavily on automated document handling like finance, legal, healthcare, and government agencies. While the vulnerability does not directly lead to data leakage or code execution, the availability impact can be significant if exploited at scale or against critical infrastructure. Organizations handling large volumes of PDFs or accepting user-submitted PDFs are at higher risk. Additionally, since exploitation requires no privileges or user interaction, the attack surface includes any automated system ingesting PDFs without prior validation.

The primary mitigation is to upgrade pypdf to version 6.0.0 or later, where the vulnerability is fully patched. If upgrading is not immediately possible, organizations should apply the workaround by manually replacing the decompression filter code with the fixed implementation from pypdf.filters.decompress. Additionally, organizations should implement strict input validation and sandboxing for PDF processing components to limit resource usage and isolate failures. Employing rate limiting and monitoring for unusual memory consumption during PDF processing can help detect exploitation attempts. It is also advisable to restrict the acceptance of PDFs from untrusted sources or to preprocess PDFs using alternative tools that are not vulnerable. Regularly auditing dependencies and maintaining an up-to-date software inventory will help ensure timely patching of such vulnerabilities.