Description
pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.2 have a vulnerability in which an attacker can craft a PDF which leads to an infinite loop. This requires reading a file in non-strict mode. This has been fixed in pypdf 6.9.2. If users cannot upgrade yet, consider applying the changes from the patch manually.
Published: 2026-03-26
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via Infinite Loop
Action: Immediate Patch
AI Analysis

Impact

An attacker can craft a PDF that causes pypdf, when used in non‑strict mode, to enter an endless loop during recovery attempts in the DictionaryObject.read_from_stream function. The loop consumes CPU time and memory without making progress, effectively locking the host application. This results in a denial of service rather than code execution or data exfiltration. The weakness stems from improper condition checks (CWE‑606) and uncontrolled loop increments (CWE‑835).

Affected Systems

The flaw affects all pypdf versions older than 6.9.2 on any operating system, because the library is pure Python and widely used in scripts and applications that process PDF files. Any Python program that imports pypdf and opens PDFs with non‑strict parsing is vulnerable.

Risk and Exploitability

The CVSS v3.1 score of 4.6 indicates moderate severity, while the EPSS score of less than 1 % and absence from the CISA KEV catalog suggest a low probability of exploitation in the wild. The attack vector would require the delivery of a malicious PDF to the target application, typically via local user input or an uploaded file. Using strict parsing, if available, mitigates the risk.

Generated by OpenCVE AI on April 2, 2026 at 05:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to pypdf 6.9.2 or later.
  • If an upgrade is not immediately possible, apply the changes from the official patch (GHSA‑87mj‑5ggw‑8qc3) to the affected module in your codebase.
  • Enable strict PDF parsing (strict=True) in pypdf calls to prevent the recovery loop from executing.
  • Restrict or sanitize external PDF inputs before they reach the pypdf processing routine.

Generated by OpenCVE AI on April 2, 2026 at 05:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-87mj-5ggw-8qc3 pypdf: Possible infinite loop during recovery attempts in DictionaryObject.read_from_stream
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Pypdf Project
Pypdf Project pypdf
CPEs cpe:2.3:a:pypdf_project:pypdf:*:*:*:*:*:*:*:*
Vendors & Products Pypdf Project
Pypdf Project pypdf
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-606
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Py-pdf
Py-pdf pypdf
Vendors & Products Py-pdf
Py-pdf pypdf

Fri, 27 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
Description pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.2 have a vulnerability in which an attacker can craft a PDF which leads to an infinite loop. This requires reading a file in non-strict mode. This has been fixed in pypdf 6.9.2. If users cannot upgrade yet, consider applying the changes from the patch manually.
Title pypdf: Possible infinite loop during recovery attempts in DictionaryObject.read_from_stream
Weaknesses CWE-835
References
Metrics cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Py-pdf Pypdf
Pypdf Project Pypdf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T19:59:39.751Z

Reserved: 2026-03-23T17:06:05.746Z

Link: CVE-2026-33699

cve-icon Vulnrichment

Updated: 2026-03-27T13:27:17.131Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T01:16:19.147

Modified: 2026-04-01T16:01:35.880

Link: CVE-2026-33699

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-26T23:58:42Z

Links: CVE-2026-33699 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:56:00Z

Weaknesses