Possible Infinite Loop when PdfWriter(clone_from) is used with a PDF

GHSA-wjcc-cq79-p63f · CVE-2023-46250

Published Oct 31, 2023 · Modified Feb 16, 2024

Description

Impact

An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop.
This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage.

That is, for example, the case when the pypdf-user manipulates an incoming malicious PDF e.g. by merging it with another PDF or by adding annotations.

Patches

The issue was fixed with #2264

Workarounds

If you cannot update your version of pypdf, you should modify pypdf/generic/_data_structures.py just like #2264 did.

References

WEB https://github.com/py-pdf/pypdf/security/advisories/GHSA-wjcc-cq79-p63f
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-46250
WEB https://github.com/py-pdf/pypdf/pull/2264
WEB https://github.com/py-pdf/pypdf/commit/9b23ac3c9619492570011d551d521690de9a3e2d
PACKAGE https://github.com/py-pdf/pypdf

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes