Skip to main content

pypdf EUVDEUVD-2026-38355

| CVE-2026-54531 MEDIUM
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2026-06-16 https://github.com/py-pdf/pypdf GHSA-m2v9-299j-rv96
6.9
CVSS 4.0 · Vendor: https://github.com/py-pdf/pypdf
Share

Severity by source

Vendor (https://github.com/py-pdf/pypdf) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Worst-case assumes network-reachable merge endpoint with no authentication; only availability is impacted via infinite loop with no code execution possible.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (https://github.com/py-pdf/pypdf).

CVSS VectorVendor: https://github.com/py-pdf/pypdf

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 22, 2026 - 21:39 NVD
6.9 (MEDIUM)
Source Code Evidence Fetched
Jun 16, 2026 - 14:52 vuln.today
Analysis Generated
Jun 16, 2026 - 14:52 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 pypi packages depend on pypdf (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 6.13.0.

DescriptionCVE.org

Impact

An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires merging a file with outlines into a writer.

Patches

This has been fixed in pypdf==6.13.0.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #3830.

AnalysisAI

Processing crafted PDF outlines in pypdf versions prior to 6.13.0 triggers an infinite loop during writer merge operations, causing a denial of service. Applications that accept user-supplied PDFs and merge them using PdfWriter are affected - specifically any code path that calls merge() on a PDF whose /Outlines or /Parent hierarchy contains circular references. No public exploit has been identified at time of analysis and this is not listed in CISA KEV; a vendor-released patch is available as pypdf 6.13.0.

Technical ContextAI

pypdf is a pure-Python PDF processing library (pip package: pkg:pip/pypdf) used to read, write, split, and merge PDF documents. The vulnerability class is CWE-835 (Loop with Unreachable Exit Condition). The PDF specification allows outline/bookmark nodes to be linked via /First, /Next, and /Last dictionary entries, and page objects to reference ancestors via /Parent entries. Prior to the fix, two traversal functions - _get_filtered_outline() in pypdf/_writer.py and _layout_mode_fonts() in pypdf/_page.py - iterated these linked structures without any cycle detection. A crafted PDF can embed circular references (e.g., an outline node whose /Next points back to an ancestor), causing the while loop to run indefinitely. The patch in PR #3830 introduces a visited set of object IDs in both traversal routines and breaks with a logged warning upon detecting a cycle, consistent with standard cycle-detection techniques for graph traversal.

RemediationAI

Upgrade pypdf to version 6.13.0 or later using pip install 'pypdf>=6.13.0'; the release is confirmed at https://github.com/py-pdf/pypdf/releases/tag/6.13.0. If an immediate upgrade is not possible, the upstream fix from PR #3830 (https://github.com/py-pdf/pypdf/pull/3830) can be manually applied to the local installation - it adds a visited set of object IDs to _get_filtered_outline() in _writer.py and to _layout_mode_fonts() in _page.py to break cycles. As a compensating control, wrap merge operations in a subprocess or thread with a strict wall-clock timeout (e.g., concurrent.futures.ThreadPoolExecutor with a timeout, or subprocess with a timeout parameter) to bound the impact of an infinite loop; note this adds latency overhead and requires error handling for timeout exceptions. Additionally, restricting PDF merge endpoints to authenticated or trusted users reduces the attack surface when patching is delayed.

Vendor StatusVendor

SUSE

Severity: Moderate

Share

EUVD-2026-38355 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy