PDF files rely on compression algorithms like LZW and ZLIB to reduce size, but these choices can have security implications.
In this post, I analyze CVE-2025-66019, a Denial of Service vulnerability in pypdf’s LZW decompression logic. I walk through how LZW works internally, why its dictionary growth can be abused, and why algorithms like ZLIB don’t suffer from the same class of issue.
The article includes interactive examples so readers can experiment with compression and decompression behavior themselves.
PDF files rely on compression algorithms like LZW and ZLIB to reduce size, but these choices can have security implications. In this post, I analyze CVE-2025-66019, a Denial of Service vulnerability in pypdf’s LZW decompression logic. I walk through how LZW works internally, why its dictionary growth can be abused, and why algorithms like ZLIB don’t suffer from the same class of issue. The article includes interactive examples so readers can experiment with compression and decompression behavior themselves.