logo

Database

Inappropriate coding practices In pypdf

Description

Possible Infinite Loop when PdfWriter(clone_from) is used with a PDF

Impact

An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage.

That is, for example, the case when the pypdf-user manipulates an incoming malicious PDF e.g. by merging it with another PDF or by adding annotations.

Patches

The issue was fixed with #2264

Workarounds

If you cannot update your version of pypdf, you should modify pypdf/generic/_data_structures.py just like #2264 did.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2023-462502. NVD-2023-462503. OSV-2023-462504. GHSA-wjcc-cq79-p63f5. GCVE-2023-462506. GHSA-wjcc-cq79-p63f

References

1. https://github.com/py-pdf/pypdf/security/advisories/GHSA-wjcc-cq79-p63f2. https://github.com/py-pdf/pypdf/pull/22643. https://github.com/py-pdf/pypdf/commit/9b23ac3c9619492570011d551d521690de9a3e2d

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.