Description
pypdf is a free and open-source pure-python PDF library. Prior to 6.13.0, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires extracting the text in layout mode. This vulnerability is fixed in 6.13.0.
Published: 2026-06-22
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A crafted PDF that triggers an infinite loop during font retrieval in layout-mode text extraction causes the pypdf library to consume CPU and memory indefinitely, effectively denying service to the process that is handling the PDF. This flaw is a classic infinite loop vulnerability, classified as CWE‑835, and leads to resource exhaustion without compromising confidentiality or integrity.

Affected Systems

Applications that incorporate py-pdf’s pypdf library and perform text extraction in layout mode are affected. Versions of pypdf earlier than 6.13.0 are vulnerable; the fix is released in pypdf 6.13.0 and later.

Risk and Exploitability

The vulnerability has a CVSS score of 6.9, indicating a moderate severity. EPSS is not available, so the likelihood of exploitation cannot be quantified, but the issue is not listed in CISA’s KEV catalog. Attackers can exploit the flaw by providing a malicious PDF to any service or user that calls pypdf’s layout‑mode extraction – a local or remote vector if the application exposes that functionality. The impact is limited to denial of service for the affected process rather than data breach or code execution.

Generated by OpenCVE AI on June 22, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the pypdf library to version 6.13.0 or later to apply the fixed code.
  • If upgrading immediately is not feasible, avoid invoking layout-mode text extraction on PDFs from untrusted sources until a patch can be applied.
  • Monitor resource usage and enforce limits for processes that perform PDF parsing, so that an infinite loop can be detected and terminated before it affects system availability.

Generated by OpenCVE AI on June 22, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-52x6-gq3r-vpf4 pypdf: Possible infinite loop when retrieving fonts for layout-mode text extraction
History

Tue, 23 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Py-pdf
Py-pdf pypdf
Vendors & Products Py-pdf
Py-pdf pypdf

Mon, 22 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description pypdf is a free and open-source pure-python PDF library. Prior to 6.13.0, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires extracting the text in layout mode. This vulnerability is fixed in 6.13.0.
Title pypdf: Possible infinite loop when retrieving fonts for layout-mode text extraction
Weaknesses CWE-835
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Py-pdf Pypdf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T20:25:29.305Z

Reserved: 2026-06-15T18:40:01.651Z

Link: CVE-2026-54530

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T00:15:03Z

Weaknesses
  • CWE-835

    Loop with Unreachable Exit Condition ('Infinite Loop')