CVE-2025-55197 is a medium-severity vulnerability affecting versions of the pypdf library prior to 6.0.0. pypdf is a widely used open-source pure-Python library for handling PDF files. The vulnerability arises from uncontrolled resource consumption (CWE-400) due to the way the library processes certain PDF streams. Specifically, an attacker can craft a malicious PDF file containing a series of FlateDecode filters applied to a cross-reference stream. When pypdf attempts to read this file, it triggers excessive RAM consumption, potentially exhausting system memory. This can lead to denial of service conditions by crashing the application or severely degrading system performance. The vulnerability also affects other content streams if explicitly accessed. Exploitation requires no authentication or user interaction beyond reading the malicious PDF file. The issue has been addressed in pypdf version 6.0.0 by fixing the decompression logic in the filters module. For environments where upgrading is not feasible, a workaround involves manually patching the filters file with the corrected decompression code from the updated pypdf.filters.decompress module. No known exploits are reported in the wild as of the publication date. The CVSS 4.0 base score is 6.6, reflecting a network attack vector with low complexity and no privileges or user interaction required, but with a high impact on availability due to resource exhaustion. This vulnerability is particularly relevant for applications and services that automatically parse or process untrusted PDF files using vulnerable pypdf versions, such as document management systems, automated PDF processing pipelines, or web services accepting PDF uploads.

For European organizations, this vulnerability poses a risk primarily to the availability of systems that utilize the pypdf library for PDF processing. Exploitation can cause denial of service by exhausting RAM, potentially leading to application crashes or system instability. This can disrupt business operations, especially in sectors relying heavily on automated document workflows, such as finance, legal, healthcare, and public administration. Since exploitation requires only reading a crafted PDF, threat actors could embed malicious PDFs in emails, websites, or file shares, increasing the risk of inadvertent triggering. The impact on confidentiality and integrity is minimal as the vulnerability does not enable code execution or data manipulation directly. However, availability impacts can indirectly affect service reliability and user trust. Organizations handling large volumes of PDF files or providing PDF-related services are at higher risk. Additionally, the lack of known exploits in the wild suggests limited current threat activity, but the ease of exploitation and medium severity score warrant proactive mitigation.

European organizations should prioritize upgrading pypdf to version 6.0.0 or later to fully remediate this vulnerability. Where immediate upgrade is not possible, applying the workaround by replacing the vulnerable decompression code in the filters file with the fixed code from pypdf.filters.decompress is recommended. Organizations should audit their software stacks to identify any internal or third-party applications using vulnerable pypdf versions. Implementing input validation and sandboxing PDF processing components can limit the impact of malicious files. Monitoring for abnormal memory usage or application crashes during PDF processing can help detect exploitation attempts. Additionally, organizations should educate users and administrators about the risks of opening untrusted PDF files and enforce strict email and file upload filtering policies to reduce exposure. Regularly reviewing and updating dependencies in software development and deployment pipelines will help prevent similar vulnerabilities. Finally, maintaining up-to-date backups and incident response plans will mitigate operational impacts if exploitation occurs.