We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2023-46250

pypdf possible Infinite Loop when PdfWriter(clone_from) is used with a PDF



Description

pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions 3.7.0 through 3.16.4 can craft a PDF which leads to an infinite loop. This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. That is, for example, the case when the pypdf-user manipulates an incoming malicious PDF e.g. by merging it with another PDF or by adding annotations. The issue was fixed in version 3.17.0. As a workaround, apply the patch manually by modifying `pypdf/generic/_data_structures.py`.

Reserved 2023-10-19 | Published 2023-10-31 | Updated 2024-09-05 | Assigner GitHub_M


MEDIUM: 5.1CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

Product status

>= 3.7.0, < 3.17.0
affected

References

github.com/.../pypdf/security/advisories/GHSA-wjcc-cq79-p63f

github.com/py-pdf/pypdf/pull/2264

github.com/...ommit/9b23ac3c9619492570011d551d521690de9a3e2d

cve.org (CVE-2023-46250)

nvd.nist.gov (CVE-2023-46250)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2023-46250

Support options

Helpdesk Chat, Email, Knowledgebase
Subscribe to our newsletter to learn more about our work.