Moderate severityNVD Advisory· Published Jun 30, 2023· Updated Feb 13, 2025
Quadratic runtime with malformed PDF missing xref marker in pypdf
CVE-2023-36810
Description
pypdf is a pure-python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. An attacker who uses this vulnerability can craft a PDF which leads to unexpected long runtime. This quadratic runtime blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. This issue has been addressed in PR 808 and versions from 1.27.9 include this fix. Users are advised to upgrade. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
PyPDF2PyPI | < 1.27.9 | 1.27.9 |
Affected products
2Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-jrm6-h9cq-8gqwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-36810ghsaADVISORY
- github.com/py-pdf/pypdf/commit/c6c56f550bb384e05f0139c796ba1308837d6373ghsaWEB
- github.com/py-pdf/pypdf/issues/582ghsax_refsource_MISCWEB
- github.com/py-pdf/pypdf/pull/808ghsax_refsource_MISCWEB
- github.com/py-pdf/pypdf/security/advisories/GHSA-jrm6-h9cq-8gqwghsax_refsource_CONFIRMWEB
- lists.debian.org/debian-lts-announce/2023/07/msg00019.htmlghsaWEB
News mentions
0No linked articles in our index yet.