pypdf: Possible infinite loop during recovery attempts in DictionaryObject.read_from_stream

GHSA-87mj-5ggw-8qc3 · CVE-2026-33699

Published Mar 25, 2026 · Modified Mar 30, 2026

Description

An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires reading a file in non-strict mode.

This has been fixed in pypdf==6.9.2.

If users cannot upgrade yet, consider applying the changes from PR #3693.

Ready to move

Free, no credit card | First findings in minutes