CVE-2023-46250 — Infinite Loop in Project Pypdf

CWE-835 — Infinite Loop5 documents4 sources

Severity

5.5MEDIUMNVD

EPSS

0.1%

top 74.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pypdf Project Pypdf Py-pdf Pypdf Debian Pypdf +1 more

Timeline

PublishedOct 31

Description

pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions 3.7.0 through 3.16.4 can craft a PDF which leads to an infinite loop. This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. That is, for example, the case when the pypdf-user manipulates an incoming malicious PDF e.g. by merging it with another PDF or by adding annotations. The issue was fixed in version 3.17.…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages5 packages

▶NVDpypdf_project/pypdf3.7.0 — 3.17.0

▶PyPIpypdf_project/pypdf3.7.0 — 3.17.0

▶CVEListV5py-pdf/pypdf>= 3.7.0, < 3.17.0

▶debiandebian/pypdf

▶debiandebian/pypdf2

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Possible Infinite Loop when PdfWriter(clone_from) is used with a PDF↗2023-10-31

▶

OSV

CVE-2023-46250: pypdf is a free and open-source pure-python PDF library↗2023-10-31

▶

OSV

Possible Infinite Loop when PdfWriter(clone_from) is used with a PDF↗2023-10-31

▶

📋Vendor Advisories

Debian

CVE-2023-46250: pypdf - pypdf is a free and open-source pure-python PDF library. An attacker who uses a ...↗2023

▶