Project: pdf2pdfa
Date: 2026-07-16
Audited with: pip-audit
Security audit performed on all Python dependencies. Direct dependencies used by pdf2pdfa have been updated to address known vulnerabilities.
| Script | Command Injection | Path Traversal | Status |
|---|---|---|---|
| pdf2pdfa.py | ✓ Safe (list args) | ✓ Path objects | Secure |
| analyze_pdfs.py | ✓ Safe (list args) | ✓ Path objects | Secure |
| cleanup_pdfs.py | ✓ Safe (list args) | ✓ Path objects | Secure |
All scripts use subprocess.run() with list arguments (not shell=True), preventing command injection.
| Package | Version | Status | Notes |
|---|---|---|---|
| pikepdf | 10.10.0 | ✓ Secure | No direct CVEs |
| Pillow | 12.3.0 | ✓ Updated | Fixed 9 CVEs (PSD, PCF, BDF, GD, PDF parsing) |
| NumPy | 2.5.1 | ✓ Secure | No known CVEs |
| scikit-image | 0.26.0 | ✓ Secure | No known CVEs (optional) |
The following CVEs were present in Pillow 11.1.0 and are fixed in 12.3.0:
- PYSEC-2026-165: Integer overflow in font glyph positioning
- PYSEC-2026-2249: Out-of-bounds write in PSD loader
- PYSEC-2026-2250: Decompression bomb in FITS loader
- PYSEC-2026-2252: Memory corruption in PSD processing
- PYSEC-2026-2253: Decompression bomb in PCF font loader
- PYSEC-2026-2254: Decompression bomb in FontFile.compile()
- PYSEC-2026-2255: Decompression bomb in BDF font loader
- PYSEC-2026-2256: Decompression bomb in GD image loader
- PYSEC-2026-2257: Command injection in WindowsViewer (Windows only)
- PYSEC-2026-2874: Infinite loop in PDF trailer parsing
These vulnerabilities exist in transitive dependencies but do not affect pdf2pdfa's operation:
| Package | CVE | Risk Assessment |
|---|---|---|
| lxml 5.3.0 | PYSEC-2026-87 | Low - XXE only with resolve_entities=True, not used by pikepdf's PDF operations |
| requests 2.32.3 | PYSEC-2026-1872 | Low - .netrc credential leak, not applicable to local PDF processing |
| filelock 3.18.0 | PYSEC-2026-1374 | Low - TOCTOU in SoftFileLock, pdf2pdfa doesn't use file locking |
| setuptools 72.1.0 | PYSEC-2025-49 | Low - path traversal in deprecated easy_install |
- Keep Pillow updated - It processes untrusted image data from PDFs
- Run pip-audit periodically -
pip-audit --desc on - Use virtual environments - Isolate dependencies per project
# Check current versions
pip show pikepdf pillow numpy | grep -E "^(Name|Version):"
# Run security audit
pip-audit --desc on