Vibe Security Radar
Back to Vulnerabilities

GHSA-vrqm-gvq7-rrwh

pdfme/pdfme
Mar 20, 2026CWE-409
TypeScript
Verified by gpt-5.4-high
Severity
MEDIUM6.5
Verdict
CONFIRMED
0.95 confidence
AI Tool
DevinDevin
Language
TypeScript

PDFME Affected by Decompression Bomb in FlateDecode Stream Parsing Causes Memory Exhaustion DoS

How AI Introduced This

Yes. AI-authored code directly introduced the vulnerable unbounded `DecodeStream.ensureBuffer()` implementation into the monorepo in `e4a4c300cd20dc34166e25565908d0a9afdb58f5`, and Devin also co-authored `3aacf2a9b1883b160db068863310f59940681d82`, which exposed the same parser through additional user-supplied PDF manipulation APIs. The original product-level exposure started earlier in a human commit, but AI code was still part of the causal chain and wrote code the fix later changed.

Attribution Chain
Advisory
Advisory Version
Fix Commit
41dffae— pdfme/pdfme
git blame
packages/pdf-lib/src/core/streams/DecodeStream.ts
Squash Merge
e4a4c30— 15 sub-commits
PR Decomposition
File overlap + AI signal analysis
Bug-Introducing Commit
430f682
Advisory
Advisory Version
Fix Commit
8c3b6a7— pdfme/pdfme
git blame
packages/schemas/src/multiVariableText/propPanel.ts, packages/schemas/src/select/index.ts
Squash Merge
2eff173— 8 sub-commits
PR Decomposition
File overlap + AI signal analysis
Bug-Introducing Commit
a039de4
+1 more attribution chain
Advisory
Advisory Version
Fix Commit
8c3b6a7— pdfme/pdfme
git blame
packages/schemas/src/multiVariableText/propPanel.ts
Squash Merge
c51ee07— 5 sub-commits
PR Decomposition
File overlap + AI signal analysis
Bug-Introducing Commit
66472c0
Bug-Introducing Commits(3)
430f682AI

Migrate pdf-lib into pdfme monorepo

Devin AIJun 26, 2025packages/pdf-lib/src/core/streams/DecodeStream.tsBlame: 37%

Extracted from squash merge e4a4c30

14 other sub-commits in this PR
9dc625bDevin AI

Fix TypeScript module resolution for workspace dependencies

Devin·Author name
cef0f45Devin AI

Fix pdf-lib package.json exports paths

Devin·Author name
1f5a67aDevin AI

Fix CodeQL security alerts in svg.ts

Devin·Author name
9873b6aDevin AI

Implement comprehensive security fixes for CodeQL alerts in svg.ts

Devin·Author name
1a32c16Devin AI

Add additional security fixes for CodeQL alerts in svg.ts

Devin·Author name
482e76aDevin AI

Implement comprehensive security hardening for CodeQL alerts in svg.ts

Devin·Author name
45737bbKyohei Fukuda

Potential fix for code scanning alert no. 32: Incomplete multi-character sanitization

GitHub Copilot·Co-author trailer (generic)
3cb34ffKyohei Fukuda

Potential fix for code scanning alert no. 39: Incomplete multi-character sanitization

GitHub Copilot·Co-author trailer (generic)
e0d80a0Kyohei Fukuda

Fix inefficient regular expression in svg.ts to pass CodeQL

Claude Code·Co-author trailer
9c31688Kyohei Fukuda

remove sanitize-html

4a2c051Kyohei Fukuda

move tests

3e16c0bKyohei Fukuda

fix for security

8bcdab6Kyohei Fukuda

update dependabot.yml

8f1e595Kyohei Fukuda

organize

a039de4AI

Fix lint errors across multiple packages

Devin AIMar 5, 2025packages/schemas/src/multiVariableText/propPanel.ts, packages/schemas/src/select/index.tsBlame: 100%

Extracted from squash merge 2eff173

7 other sub-commits in this PR
9ee1292Devin AI

Fix type safety issues in tables/pdfRender.ts

Devin·Author name
5e0fe2eDevin AI

Fix remaining lint errors in multiple packages

Devin·Author name
e57f6a4Devin AI

Fix type error in DetailView/index.tsx

Devin·Author name
65bb40ehand-dot

Enable problematic test in Playground E2E Tests

45917f8hand-dot

TMP

58f7f1aDevin AI

Fix TypeScript type compatibility issues across packages

Devin·Author name
66cfffahand-dot

Refactor typedI18n function to use a type-safe key assertion for i18n

66472c0AI

Fix linting errors in packages/schemas

Devin AIMar 5, 2025packages/schemas/src/multiVariableText/propPanel.tsBlame: 100%

Extracted from squash merge c51ee07

4 other sub-commits in this PR
3d6ae19Devin AICulprit

Fix type errors in multiVariableText/propPanel.ts and barcodes/helper.ts

Devin·Author name
2013512Kyohei Fukuda

Merge branch 'main' into devin/1741140245-fix-lint-errors

61d2aaeDevin AICulprit

Fix PropPanelProps type error in multiVariableText/propPanel.ts

Devin·Author name
bc2ad30Kyohei FukudaCulprit

Potential fix for code scanning alert no. 14: Unsafe HTML constructed from library input

GitHub Copilot·Co-author trailer (generic)

Deep Verification

by GPT-5.4
CONFIRMED0.95
68 tool calls
95%

`e4a4c300` added `packages/pdf-lib/src/core/streams/DecodeStream.ts` to the monorepo, including the vulnerable `ensureBuffer(requested)` implementation with unbounded growth: `while (size < requested) { size *= 2; }` followed by `new Uint8Array(size)`, with no decoded-size cap. The fix commit `8c3b6a713b3de767e1bdcc37ce831ecbce0212f3` directly modifies those lines to add `MAX_DECODED_SIZE` checks, and blame on the fixed file attributes the pre-fix vulnerable lines to `e4a4c300`. Even though this was a migration/import of existing logic, reintroducing that vulnerable implementation into repo code is bug introduction under the stated criteria.

AI Signals(3)
Commit430f682
DevinAuthor nameDevin AI95%
Commita039de4
DevinAuthor nameDevin AI95%
Commit66472c0
DevinAuthor nameDevin AI95%
Fix Commits(19)
8c3b6a7pdfme/pdfmeAdvisory Version
41dffaepdfme/pdfmeAdvisory Version
f838f25pdfme/pdfmeAdvisory Version
a1b0976pdfme/pdfmeAdvisory Version
e5ec86fpdfme/pdfmeAdvisory Version
eb6e76dpdfme/pdfmeAdvisory Version
97042e8pdfme/pdfmeAdvisory Version
3130c92pdfme/pdfmeAdvisory Version
17ac3bapdfme/pdfmeAdvisory Version
2f828c2pdfme/pdfmeAdvisory Version
15e14a8pdfme/pdfmeAdvisory Version
b14c45epdfme/pdfmeAdvisory Version
798a88apdfme/pdfmeAdvisory Version
060be00pdfme/pdfmeAdvisory Version
883b7dcpdfme/pdfmeAdvisory Version
e6829aapdfme/pdfmeAdvisory Version
378515epdfme/pdfmeAdvisory Version
921f3abpdfme/pdfmeAdvisory Version
838f687pdfme/pdfmeAdvisory Version
References(1)