Impact
The vulnerability in pypdf, resulting from weaknesses in CWE-400 (Uncontrolled Resource Consumption) and CWE-835 (Infinite Loops), allows an attacker to craft a PDF that, when its text is extracted, causes the library to allocate an excessive amount of memory. The issue arises from pages containing a form XObject with self-references that trigger uncontrolled resource consumption. The resulting high memory usage can force the application or host system to run out of available memory, potentially leading to crashes or forced restarts, which in turn constitute a denial‑of‑service attack.
Affected Systems
Any installation of the py-pdf pypdf library older than version 6.12.2 is affected. Those deployments that invoke the text extraction function on PDFs received from untrusted or external sources are at risk.
Risk and Exploitability
The CVSS score of 6.9 indicates moderate to high severity. The EPSS score is 0.00125, indicating a very low but non-zero probability of exploitation. The lack of listing in the CISA KEV catalog does not reduce the potential impact. The vulnerability stems from CWE-400 and CWE-835 weaknesses, causing uncontrolled resource consumption during text extraction. The attack requires the adversary to supply a malicious PDF and to trigger text extraction; therefore, the vector is likely application‑level input handling. If an application processes PDFs without proper safeguards, the vulnerability can be exploited to exhaust memory and impair service availability.
OpenCVE Enrichment
Github GHSA