CVE-2023-46250
published 2023-10-31CVE-2023-46250: pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions 3.7.0 through 3.16.4 can craft a PDF which…
PriorityP421medium5.5CVSS 3.1
AVLACLPRNUIRSUCNINAH
EPSS
0.24%
15.4th percentile
pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions 3.7.0 through 3.16.4 can craft a PDF which leads to an infinite loop. This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. That is, for example, the case when the pypdf-user manipulates an incoming malicious PDF e.g. by merging it with another PDF or by adding annotations. The issue was fixed in version 3.17.0. As a workaround, apply the patch manually by modifying `pypdf/generic/_data_structures.py`.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | pypdf | — | — |
| debian | pypdf2 | — | — |
| py-pdf | pypdf | — | — |
| pypdf_project | pypdf | >= 3.7.0 < 3.17.0 | 3.17.0 |
| pypdf_project | pypdf | >= 3.7.0 < 3.17.0 | 3.17.0 |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
osv5.5MEDIUM
vendor_debian5.1LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Possible Infinite Loop when PdfWriter(clone_from) is used with a PDF
ghsa·2023-10-31
CVE-2023-46250 [MEDIUM] CWE-835 Possible Infinite Loop when PdfWriter(clone_from) is used with a PDF
Possible Infinite Loop when PdfWriter(clone_from) is used with a PDF
### Impact
An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop.
This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage.
That is, for example, the case when the pypdf-user manipulates an incoming malicious PDF e.g. by merging it with another PDF or by adding annotations.
### Patches
The issue was fixed with #2264
### Workarounds
If you cannot update your version of pypdf, you should modify `pypdf/generic/_data_structures.py` just like #2264 did.
OSV
CVE-2023-46250: pypdf is a free and open-source pure-python PDF library
osv·2023-10-31·CVSS 5.5
CVE-2023-46250 [MEDIUM] CVE-2023-46250: pypdf is a free and open-source pure-python PDF library
pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions 3.7.0 through 3.16.4 can craft a PDF which leads to an infinite loop. This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. That is, for example, the case when the pypdf-user manipulates an incoming malicious PDF e.g. by merging it with another PDF or by adding annotations. The issue was fixed in version 3.17.0. As a workaround, apply the patch manually by modifying `pypdf/generic/_data_structures.py`.
OSV
Possible Infinite Loop when PdfWriter(clone_from) is used with a PDF
osv·2023-10-31
CVE-2023-46250 [MEDIUM] Possible Infinite Loop when PdfWriter(clone_from) is used with a PDF
Possible Infinite Loop when PdfWriter(clone_from) is used with a PDF
### Impact
An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop.
This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage.
That is, for example, the case when the pypdf-user manipulates an incoming malicious PDF e.g. by merging it with another PDF or by adding annotations.
### Patches
The issue was fixed with #2264
### Workarounds
If you cannot update your version of pypdf, you should modify `pypdf/generic/_data_structures.py` just like #2264 did.
Debian
CVE-2023-46250: pypdf - pypdf is a free and open-source pure-python PDF library. An attacker who uses a ...
vendor_debian·2023·CVSS 5.1
CVE-2023-46250 [MEDIUM] CVE-2023-46250: pypdf - pypdf is a free and open-source pure-python PDF library. An attacker who uses a ...
pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions 3.7.0 through 3.16.4 can craft a PDF which leads to an infinite loop. This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. That is, for example, the case when the pypdf-user manipulates an incoming malicious PDF e.g. by merging it with another PDF or by adding annotations. The issue was fixed in version 3.17.0. As a workaround, apply the patch manually by modifying `pypdf/generic/_data_structures.py`.
Scope: local
bookworm: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/py-pdf/pypdf/commit/9b23ac3c9619492570011d551d521690de9a3e2dhttps://github.com/py-pdf/pypdf/pull/2264https://github.com/py-pdf/pypdf/security/advisories/GHSA-wjcc-cq79-p63fhttps://github.com/py-pdf/pypdf/commit/9b23ac3c9619492570011d551d521690de9a3e2dhttps://github.com/py-pdf/pypdf/pull/2264https://github.com/py-pdf/pypdf/security/advisories/GHSA-wjcc-cq79-p63f
2023-10-31
Published