Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Worst-case assumes network-reachable merge endpoint with no authentication; only availability is impacted via infinite loop with no code execution possible.
Primary rating from Vendor (https://github.com/py-pdf/pypdf).
CVSS VectorVendor: https://github.com/py-pdf/pypdf
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Blast Radius
ecosystem impact- 1 pypi packages depend on pypdf (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 6.13.0.
DescriptionCVE.org
Impact
An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires merging a file with outlines into a writer.
Patches
This has been fixed in pypdf==6.13.0.
Workarounds
If you cannot upgrade yet, consider applying the changes from PR #3830.
AnalysisAI
Processing crafted PDF outlines in pypdf versions prior to 6.13.0 triggers an infinite loop during writer merge operations, causing a denial of service. Applications that accept user-supplied PDFs and merge them using PdfWriter are affected - specifically any code path that calls merge() on a PDF whose /Outlines or /Parent hierarchy contains circular references. No public exploit has been identified at time of analysis and this is not listed in CISA KEV; a vendor-released patch is available as pypdf 6.13.0.
Technical ContextAI
pypdf is a pure-Python PDF processing library (pip package: pkg:pip/pypdf) used to read, write, split, and merge PDF documents. The vulnerability class is CWE-835 (Loop with Unreachable Exit Condition). The PDF specification allows outline/bookmark nodes to be linked via /First, /Next, and /Last dictionary entries, and page objects to reference ancestors via /Parent entries. Prior to the fix, two traversal functions - _get_filtered_outline() in pypdf/_writer.py and _layout_mode_fonts() in pypdf/_page.py - iterated these linked structures without any cycle detection. A crafted PDF can embed circular references (e.g., an outline node whose /Next points back to an ancestor), causing the while loop to run indefinitely. The patch in PR #3830 introduces a visited set of object IDs in both traversal routines and breaks with a logged warning upon detecting a cycle, consistent with standard cycle-detection techniques for graph traversal.
RemediationAI
Upgrade pypdf to version 6.13.0 or later using pip install 'pypdf>=6.13.0'; the release is confirmed at https://github.com/py-pdf/pypdf/releases/tag/6.13.0. If an immediate upgrade is not possible, the upstream fix from PR #3830 (https://github.com/py-pdf/pypdf/pull/3830) can be manually applied to the local installation - it adds a visited set of object IDs to _get_filtered_outline() in _writer.py and to _layout_mode_fonts() in _page.py to break cycles. As a compensating control, wrap merge operations in a subprocess or thread with a strict wall-clock timeout (e.g., concurrent.futures.ThreadPoolExecutor with a timeout, or subprocess with a timeout parameter) to bound the impact of an infinite loop; note this adds latency overhead and requires error handling for timeout exceptions. Additionally, restricting PDF merge endpoints to authenticated or trusted users reduces the attack surface when patching is delayed.
Same technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: ModerateShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38355
GHSA-m2v9-299j-rv96