We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2023-46250

pypdf possible Infinite Loop when PdfWriter(clone_from) is used with a PDF



AssignerGitHub_M
Reserved2023-10-19
Published2023-10-31
Updated2024-09-05

Description

pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions 3.7.0 through 3.16.4 can craft a PDF which leads to an infinite loop. This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. That is, for example, the case when the pypdf-user manipulates an incoming malicious PDF e.g. by merging it with another PDF or by adding annotations. The issue was fixed in version 3.17.0. As a workaround, apply the patch manually by modifying `pypdf/generic/_data_structures.py`.



MEDIUM: 5.1CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

Product status

>= 3.7.0, < 3.17.0
affected

References

https://github.com/py-pdf/pypdf/security/advisories/GHSA-wjcc-cq79-p63f

https://github.com/py-pdf/pypdf/pull/2264

https://github.com/py-pdf/pypdf/commit/9b23ac3c9619492570011d551d521690de9a3e2d

cve.org CVE-2023-46250

nvd.nist.gov CVE-2023-46250

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2023-46250
Subscribe to our newsletter to learn more about our work.