pdfcpu CVE-2026-38970
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Unauthenticated attacker delivers a crafted PDF over the network with no interaction; sole impact is process crash, so C:N/I:N/A:H, matching the published vector.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
pdfcpu through v0.11.1 contains an uncontrolled-recursion denial-of-service issue in pkg/pdfcpu/model/parse.go. The parser descends recursively through nested PDF objects, including arrays, via ParseObjectContext() and parseArray() without enforcing a maximum nesting depth.
AnalysisAI
Denial of service in pdfcpu (the Go PDF processing library and CLI) through v0.11.1 lets a remote attacker crash any application that parses attacker-supplied PDFs by submitting a document with deeply nested objects. The parser follows nested arrays recursively via ParseObjectContext() and parseArray() with no depth cap, so a crafted file exhausts the goroutine stack and aborts the process. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target application feed an attacker-supplied PDF to pdfcpu's object parser (any operation that invokes ParseObjectContext(), e.g. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, C:N/I:N/A:H, base 7.5) reflects a network-reachable, unauthenticated, low-complexity attack whose only impact is availability - there is no confidentiality or integrity loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker uploads a small, malformed PDF containing an array nested hundreds of thousands of levels deep to a web service that uses pdfcpu to validate, merge, or extract content from user documents. When pdfcpu parses the file, mutual recursion between ParseObjectContext() and parseArray() overruns the goroutine stack and the Go runtime fatally panics, crashing the service for all users. … |
| Remediation | Upgrade to a pdfcpu release later than v0.11.1 that enforces a maximum parse nesting depth; the references cite the upstream repository (https://github.com/pdfcpu/pdfcpu) and the specific vulnerable lines (parse.go L325-366 and L942-970), but no exact fixed version tag is included in the provided data, so confirm the patched release on the project's releases page before pinning - released patched version not independently confirmed from available data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all internal applications using pdfcpu via go.mod dependency scanning and software supply-chain tools; document each service's criticality and exposure to untrusted PDF sources. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-674 – Uncontrolled Recursion
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today