CVE-2023-46250

MEDIUM5.1EPSS 0.09%

Possible Infinite Loop when PdfWriter(clone_from) is used with a PDF

Published: 10/31/2023Modified: 2/16/2024

Description

### Impact An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. That is, for example, the case when the pypdf-user manipulates an incoming malicious PDF e.g. by merging it with another PDF or by adding annotations. ### Patches The issue was fixed with #2264 ### Workarounds If you cannot update your version of pypdf, you should modify `pypdf/generic/_data_structures.py` just like #2264 did.

Affected packages (1)

PyPI/pypdf>= 3.7.0, < 3.17.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.1	CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-46250
PATCHhttps://github.com/py-pdf/pypdf
WEBhttps://github.com/py-pdf/pypdf/commit/9b23ac3c9619492570011d551d521690de9a3e2d
WEBhttps://github.com/py-pdf/pypdf/pull/2264
WEBhttps://github.com/py-pdf/pypdf/security/advisories/GHSA-wjcc-cq79-p63f