Infinite Loop when a comment isn't followed by a character in pypdf
Description
pypdf is an open source, pure-python PDF library. In affected versions an attacker may craft a PDF which leads to an infinite loop if __parse_content_stream is executed. That is, for example, the case if the user extracted text from such a PDF. This issue was introduced in pull request #969 and resolved in pull request #1828. Users are advised to upgrade. Users unable to upgrade may modify the line while peek not in (b"\r", b"\n") in pypdf/generic/_data_structures.py to while peek not in (b"\r", b"\n", b"").
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pypdfPyPI | >= 3.1.0, < 3.9.0 | 3.9.0 |
PyPDF2PyPI | >= 2.2.0, <= 3.0.1 | — |
Affected products
1Patches
1b0e5c689df68BUG: Prevent infinite loop when no character follows after a comment (#1828)
5 files changed · +18 −1
pypdf/generic/_data_structures.py+1 −1 modified@@ -1016,7 +1016,7 @@ def __parse_content_stream(self, stream: StreamType) -> None: # encountering a comment -- but read_object assumes that # following the comment must be the object we're trying to # read. In this case, it could be an operator instead. - while peek not in (b"\r", b"\n"): + while peek not in (b"\r", b"\n", b""): peek = stream.read(1) else: operands.append(read_object(stream, None, self.forced_encoding))
requirements/ci-3.11.txt+3 −0 modified@@ -50,10 +50,13 @@ pytest==7.2.2 # -r requirements/ci.in # pytest-benchmark # pytest-socket + # pytest-timeout pytest-benchmark==4.0.0 # via -r requirements/ci.in pytest-socket==0.6.0 # via -r requirements/ci.in +pytest-timeout==2.1.0 + # via -r requirements/ci.in ruff==0.0.259 # via -r requirements/ci.in typeguard==3.0.2
requirements/ci.in+1 −0 modified@@ -9,6 +9,7 @@ pycryptodome pytest pytest-benchmark pytest-socket +pytest-timeout typeguard types-dataclasses types-Pillow
requirements/ci.txt+3 −0 modified@@ -62,10 +62,13 @@ pytest==7.0.1 # -r requirements/ci.in # pytest-benchmark # pytest-socket + # pytest-timeout pytest-benchmark==3.4.1 # via -r requirements/ci.in pytest-socket==0.4.1 # via -r requirements/ci.in +pytest-timeout==2.1.0 + # via -r requirements/ci.in six==1.16.0 # via flake8-print tomli==1.2.3
tests/test_reader.py+10 −0 modified@@ -1401,3 +1401,13 @@ def test_iss1756(): in_pdf = PdfReader(BytesIO(get_pdf_from_url(url, name=name))) in_pdf.trailer["/ID"] # removed to cope with missing cryptodome during commit check : len(in_pdf.pages) + + +@pytest.mark.enable_socket() +@pytest.mark.timeout(30) +def test_iss1825(): + url = "https://github.com/py-pdf/pypdf/files/11367871/MiFO_LFO_FEIS_NOA_Published.3.pdf" + name = "iss1825.pdf" + reader = PdfReader(BytesIO(get_pdf_from_url(url, name=name))) + page = reader.pages[0] + page.extract_text()
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-4vvm-4w3v-6mr8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-36464ghsaADVISORY
- github.com/py-pdf/pypdf/commit/b0e5c689df689ab173df84dacd77b6fc3c161932ghsaWEB
- github.com/py-pdf/pypdf/pull/1828ghsax_refsource_MISCWEB
- github.com/py-pdf/pypdf/pull/969ghsax_refsource_MISCWEB
- github.com/py-pdf/pypdf/releases/tag/3.9.0ghsaWEB
- github.com/py-pdf/pypdf/security/advisories/GHSA-4vvm-4w3v-6mr8ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.