Skip to main content

pypdf EUVDEUVD-2026-38358

| CVE-2026-54651 MEDIUM
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2026-06-22 GitHub_M GHSA-g9xf-7f8q-9mcj
6.9
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.2 MEDIUM

Attacker delivers a crafted file processed locally by pypdf with no required privileges or separate user interaction; only availability is impacted via process hang.

3.1 AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Red Hat
5.9 MEDIUM
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 22, 2026 - 22:02 EUVD
Source Code Evidence Fetched
Jun 22, 2026 - 21:23 vuln.today
Analysis Generated
Jun 22, 2026 - 21:23 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 pypi packages depend on pypdf (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 6.13.1.

DescriptionCVE.org

pypdf is a free and open-source pure-python PDF library. Prior to 6.13.1, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires merging a file with threads/articles into a writer. This vulnerability is fixed in 6.13.1.

AnalysisAI

Infinite loop denial-of-service in pypdf prior to 6.13.1 allows an attacker to hang any process that merges a crafted PDF containing cyclic article/thread structures. The vulnerability exists in the _add_articles_thread() method of _writer.py, which traversed PDF article bead linked-list structures without cycle detection, permitting a self-referential /N (Next) pointer chain to create an irrecoverable loop. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft PDF with cyclic article bead chain (/N pointer loop)
Delivery
Deliver crafted PDF to merge-enabled pypdf application
Exploit
Application calls PdfWriter merge, invoking _add_articles_thread
Execution
Method traverses cyclic linked list without exit condition
Persist
Worker process enters infinite loop, consuming CPU
Impact
Application thread/process becomes unresponsive (DoS)

Vulnerability AssessmentAI

Exploitation Exploitation requires two concurrent conditions: (1) the target application must invoke pypdf's PDF merge functionality - specifically a code path that calls `_add_articles_thread()`, triggered when the source PDF's document catalog contains a `/Threads` array with at least one thread entry; and (2) the attacker must control or influence one of the PDFs being merged to supply a crafted file. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.9 (Medium) with vector AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H accurately reflects that the impact is limited to availability (process hang) with no confidentiality or integrity consequences. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a crafted PDF to a web application or batch pipeline that uses pypdf to merge user-supplied documents - for example, a document management system or report generator. The PDF contains three article bead dictionaries where the last bead's `/N` pointer references itself or an earlier bead, forming a cycle. …
Remediation Upgrade pypdf to version 6.13.1 or later, available via PyPI (`pip install --upgrade pypdf`) and documented at https://github.com/py-pdf/pypdf/releases/tag/6.13.1. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed

Share

EUVD-2026-38358 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy