Bump pypdf 6.9.1 -> 6.10.2 to patch CVE-2026-40260

pypdf < 6.10.0 did not restrict recursive XML entity expansion when parsing XMP metadata, allowing a crafted PDF to trigger a "billion laughs"-style RAM exhaustion via PdfReader. Fixed upstream in 6.10.0. Bumps to latest patch (6.10.2). Relevant call site: browser_use/filesystem/file_system.py uses pypdf.PdfReader on agent-downloaded PDFs, which is reachable from attacker-controlled content.
2026-04-22 17:45:09 +02:00 · 2026-04-20 18:45:21 -07:00
parent d1690e510a
commit 74ccf0ebd6
1 changed files with 1 additions and 1 deletions
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -37,7 +37,7 @@ dependencies = [
    "google-auth==2.48.0",
    "google-auth-oauthlib==1.2.4",
    "mcp==1.26.0",
-    "pypdf==6.9.1",
+    "pypdf==6.10.2",
    "reportlab==4.4.9",
    "cdp-use==1.4.5",
    "pyotp==2.9.0",