Vulnerabilities > CVE-2023-46250 - Infinite Loop vulnerability in Pypdf Project Pypdf

CVSS 5.5 - MEDIUM

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

local

low complexity

pypdf-project

CWE-835

NVD

Published: 2023-10-31

Updated: 2023-11-08

Summary

pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions 3.7.0 through 3.16.4 can craft a PDF which leads to an infinite loop. This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. That is, for example, the case when the pypdf-user manipulates an incoming malicious PDF e.g. by merging it with another PDF or by adding annotations. The issue was fixed in version 3.17.0. As a workaround, apply the patch manually by modifying `pypdf/generic/_data_structures.py`.

Vulnerable Configurations

Part	Description	Count
Application	Pypdf_Project Pypdf Project Pypdf 3.7.0 Pypdf Project Pypdf 3.7.1 Pypdf Project Pypdf 3.8.0 Pypdf Project Pypdf 3.8.1 Pypdf Project Pypdf 3.9.0 Pypdf Project Pypdf 3.9.1 Pypdf Project Pypdf 3.10.0 Pypdf Project Pypdf 3.11.0 Pypdf Project Pypdf 3.11.1 Pypdf Project Pypdf 3.12.0 Pypdf Project Pypdf 3.12.1 Pypdf Project Pypdf 3.12.2 Pypdf Project Pypdf 3.13.0 Pypdf Project Pypdf 3.14.0 Pypdf Project Pypdf 3.15.0 Pypdf Project Pypdf 3.15.1 Pypdf Project Pypdf 3.15.2 Pypdf Project Pypdf 3.15.3 Pypdf Project Pypdf 3.15.4 Pypdf Project Pypdf 3.15.5 Pypdf Project Pypdf 3.16.0 Pypdf Project Pypdf 3.16.1 Pypdf Project Pypdf 3.16.2 Pypdf Project Pypdf 3.16.3 Pypdf Project Pypdf 3.16.4	25

Common Weakness Enumeration (CWE)

CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References