LDR Security Patch: Critical pypdf Vulnerability Exposed in arXiv/PubMed PDF Processing

A routine dependency update for the LDR platform has exposed a critical, actively exploitable vulnerability in its core PDF processing pipeline. The security patch addresses four GitHub security alerts, but one stands out: an XMP entity-expansion denial-of-service (DoS) flaw in the `pypdf` library (CVE via GHSA-3crg-w4f6-42mx). This vulnerability is uniquely dangerous within LDR's architecture because its arXiv, PubMed, and bioRxiv downloaders automatically hand third-party PDFs to the vulnerable `PdfReader` without any pre-parse size limits, creating a direct and unmitigated exploit path for malicious documents.

The patch bumps `pypdf` from version 6.9.2 to 6.10.1. Three other libraries—`langchain-core`, `cryptography`, and `pytest`—were also updated for defense-in-depth, though their associated CVEs (CVE-2026-40087, CVE-2026-39892, CVE-2025-71176) are not currently reachable in LDR's production environment. The update also cleans up three stale `import PyPDF2` references, one of which was causing a latent `ImportError` for any PDF added to a user's library collection, indicating legacy code entanglement with the current security posture.

This incident highlights the hidden risks in automated academic data ingestion systems. While the other patched vulnerabilities are currently theoretical within LDR, the `pypdf` flaw represents a concrete operational threat. The platform's reliance on parsing unfiltered, externally-sourced PDFs from major preprint servers creates a single point of failure that could be weaponized to disrupt service. The cleanup of deprecated PyPDF2 imports further suggests an ongoing need to audit and harden the dependency chain against both active exploits and legacy system errors.