CVE-2023-36810
Quadratic runtime with malformed PDF missing xref marker in pypdf
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
pypdf is a pure-python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. An attacker who uses this vulnerability can craft a PDF which leads to unexpected long runtime. This quadratic runtime blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. This issue has been addressed in PR 808 and versions from 1.27.9 include this fix. Users are advised to upgrade. There are no known workarounds for this vulnerability.
It was discovered that PyPDF2 incorrectly handled PDF files with certain markers. If a user or automated system were tricked into processing a specially crafted file, an attacker could possibly use this issue to consume system resources, resulting in a denial of service.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2023-06-27 CVE Reserved
- 2023-06-30 CVE Published
- 2025-02-13 CVE Updated
- 2025-02-13 First Exploit
- 2025-04-15 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-407: Inefficient Algorithmic Complexity
CAPEC
References (4)
| URL | Date | SRC |
|---|---|---|
| https://github.com/py-pdf/pypdf/issues/582 | 2025-02-13 | |
| https://github.com/py-pdf/pypdf/security/advisories/GHSA-jrm6-h9cq-8gqw | 2025-02-13 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/py-pdf/pypdf/pull/808 | 2023-07-14 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Pypdf Project Search vendor "Pypdf Project" | Pypdf Search vendor "Pypdf Project" for product "Pypdf" | <= 1.27.8 Search vendor "Pypdf Project" for product "Pypdf" and version " <= 1.27.8" | - |
Affected
| ||||||