Description
pypdf is a free and open-source pure-python PDF library. Prior to 6.13.0, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires merging a file with outlines into a writer. This vulnerability is fixed in 6.13.0.
Published: 2026-06-22
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

pypdf is an open-source pure-Python PDF library that contains a flaw where merging a PDF file with outlines into a writer can trigger an unbounded loop. This loop repeatedly processes outline entries without end, consuming CPU cycles and potentially exhausting system resources. The impact is a denial of service to the application that performs the merge or to the environment in which the merge occurs, as the process may become unresponsive or crash.

Affected Systems

The vulnerability affects installations of the pypdf library prior to version 6.13.0. Any Python application or service that merges PDF documents and allows users to supply files with outlines or bookmarks is potentially impacted. Versions 6.13.0 and later contain the fix.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. No EPSS score is published, and the issue is not in the CISA KEV catalog, suggesting limited public exploitation evidence. Attackers can exploit by creating a crafted PDF with malicious outline structures and delivering it to an application that uses pypdf's merge functionality. The vector is an application-level attack that could lead to denial of service, likely requiring the malicious PDF to be processed locally by the vulnerable process. The risk is mitigated by patching, but until then the flaw remains exploitable via crafted PDFs.

Generated by OpenCVE AI on June 22, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to pypdf version 6.13.0 or later
  • Validate or limit outline depth before merging; consider pre‑processing PDFs in a controlled sandbox
  • If upgrade is not immediately possible, run PDF processing in a separate process monitored by a watchdog that terminates the process after a timeout to prevent resource exhaustion

Generated by OpenCVE AI on June 22, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m2v9-299j-rv96 pypdf: Possible infinite loop when processing outlines/bookmarks in writer
History

Tue, 23 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Py-pdf
Py-pdf pypdf
Vendors & Products Py-pdf
Py-pdf pypdf

Mon, 22 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description pypdf is a free and open-source pure-python PDF library. Prior to 6.13.0, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires merging a file with outlines into a writer. This vulnerability is fixed in 6.13.0.
Title pypdf: Possible infinite loop when processing outlines/bookmarks in writer
Weaknesses CWE-835
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Py-pdf Pypdf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T20:26:19.756Z

Reserved: 2026-06-15T18:40:01.651Z

Link: CVE-2026-54531

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T00:15:03Z

Weaknesses
  • CWE-835

    Loop with Unreachable Exit Condition ('Infinite Loop')