PyPDF2 quadratic runtime with malformed PDF missing xref marker

GHSA-jrm6-h9cq-8gqw · CVE-2023-36810

Published Jun 30, 2023 · Modified Feb 18, 2025

Description

Impact

An attacker who uses this vulnerability can craft a PDF which leads to unexpected long runtime.
This quadratic runtime blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage.

Patches

https://github.com/py-pdf/pypdf/pull/808

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

PyPDF2 PR #808
PyPDF2 Issue #582

References

WEB https://github.com/py-pdf/pypdf/security/advisories/GHSA-jrm6-h9cq-8gqw
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-36810
WEB https://github.com/py-pdf/pypdf/issues/582
WEB https://github.com/py-pdf/pypdf/pull/808
WEB https://github.com/py-pdf/pypdf/commit/c6c56f550bb384e05f0139c796ba1308837d6373
PACKAGE https://github.com/py-pdf/pypdf
WEB https://lists.debian.org/debian-lts-announce/2023/07/msg00019.html

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes