Skip to content

Security: arnepluhar/pdf2pdfa

Security

SECURITY.md

Security Advisory

Project: pdf2pdfa
Date: 2026-07-16
Audited with: pip-audit

Summary

Security audit performed on all Python dependencies. Direct dependencies used by pdf2pdfa have been updated to address known vulnerabilities.

Scripts Security Review

Script Command Injection Path Traversal Status
pdf2pdfa.py ✓ Safe (list args) ✓ Path objects Secure
analyze_pdfs.py ✓ Safe (list args) ✓ Path objects Secure
cleanup_pdfs.py ✓ Safe (list args) ✓ Path objects Secure

All scripts use subprocess.run() with list arguments (not shell=True), preventing command injection.

Direct Dependencies Status

Package Version Status Notes
pikepdf 10.10.0 ✓ Secure No direct CVEs
Pillow 12.3.0 ✓ Updated Fixed 9 CVEs (PSD, PCF, BDF, GD, PDF parsing)
NumPy 2.5.1 ✓ Secure No known CVEs
scikit-image 0.26.0 ✓ Secure No known CVEs (optional)

Addressed Vulnerabilities

The following CVEs were present in Pillow 11.1.0 and are fixed in 12.3.0:

  • PYSEC-2026-165: Integer overflow in font glyph positioning
  • PYSEC-2026-2249: Out-of-bounds write in PSD loader
  • PYSEC-2026-2250: Decompression bomb in FITS loader
  • PYSEC-2026-2252: Memory corruption in PSD processing
  • PYSEC-2026-2253: Decompression bomb in PCF font loader
  • PYSEC-2026-2254: Decompression bomb in FontFile.compile()
  • PYSEC-2026-2255: Decompression bomb in BDF font loader
  • PYSEC-2026-2256: Decompression bomb in GD image loader
  • PYSEC-2026-2257: Command injection in WindowsViewer (Windows only)
  • PYSEC-2026-2874: Infinite loop in PDF trailer parsing

Transitive Dependencies (Low Risk)

These vulnerabilities exist in transitive dependencies but do not affect pdf2pdfa's operation:

Package CVE Risk Assessment
lxml 5.3.0 PYSEC-2026-87 Low - XXE only with resolve_entities=True, not used by pikepdf's PDF operations
requests 2.32.3 PYSEC-2026-1872 Low - .netrc credential leak, not applicable to local PDF processing
filelock 3.18.0 PYSEC-2026-1374 Low - TOCTOU in SoftFileLock, pdf2pdfa doesn't use file locking
setuptools 72.1.0 PYSEC-2025-49 Low - path traversal in deprecated easy_install

Recommendations

  1. Keep Pillow updated - It processes untrusted image data from PDFs
  2. Run pip-audit periodically - pip-audit --desc on
  3. Use virtual environments - Isolate dependencies per project

Verification

# Check current versions
pip show pikepdf pillow numpy | grep -E "^(Name|Version):"

# Run security audit
pip-audit --desc on

There aren't any published security advisories