Skip to main content

pypdf CVE-2026-54531

| EUVDEUVD-2026-38355 MEDIUM
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2026-06-16 https://github.com/py-pdf/pypdf GHSA-m2v9-299j-rv96
6.9
CVSS 4.0 · Vendor: https://github.com/py-pdf/pypdf
Share

Severity by source

Vendor (https://github.com/py-pdf/pypdf) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Worst-case assumes network-reachable merge endpoint with no authentication; only availability is impacted via infinite loop with no code execution possible.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (https://github.com/py-pdf/pypdf).

CVSS VectorVendor: https://github.com/py-pdf/pypdf

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 22, 2026 - 21:39 NVD
6.9 (MEDIUM)
Source Code Evidence Fetched
Jun 16, 2026 - 14:52 vuln.today
Analysis Generated
Jun 16, 2026 - 14:52 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 pypi packages depend on pypdf (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 6.13.0.

DescriptionCVE.org

Impact

An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires merging a file with outlines into a writer.

Patches

This has been fixed in pypdf==6.13.0.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #3830.

AnalysisAI

Processing crafted PDF outlines in pypdf versions prior to 6.13.0 triggers an infinite loop during writer merge operations, causing a denial of service. Applications that accept user-supplied PDFs and merge them using PdfWriter are affected - specifically any code path that calls merge() on a PDF whose /Outlines or /Parent hierarchy contains circular references. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft PDF with cyclic /Outlines or /Parent structure
Delivery
Submit PDF to merge-capable endpoint
Exploit
PdfWriter.merge() invokes _get_filtered_outline()
Execution
Cycle detection absent - loop runs indefinitely
Persist
CPU resource exhaustion in worker
Impact
Service denial for all users

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application runs pypdf version earlier than 6.13.0 AND calls PdfWriter.merge() (or an equivalent merge workflow) on a PDF supplied by the attacker. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS score or vector was provided by NVD or the reporting source, and no EPSS data is available, so all severity signals must be inferred. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker uploads a crafted PDF file in which the /Outlines dictionary contains a node whose /Next entry points back to an ancestor, forming a cycle invisible to naive parsers. When a vulnerable pypdf application calls PdfWriter.merge() with this file, _get_filtered_outline() enters an infinite loop, consuming CPU until the worker process hangs or is killed by an OS-level resource limit. …
Remediation Upgrade pypdf to version 6.13.0 or later using pip install 'pypdf>=6.13.0'; the release is confirmed at https://github.com/py-pdf/pypdf/releases/tag/6.13.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate

Share

CVE-2026-54531 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy