Description
pypdf is a free and open-source pure-python PDF library. Prior to 6.13.1, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires merging a file with threads/articles into a writer. This vulnerability is fixed in 6.13.1.
Published: 2026-06-22
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in early releases of the pypdf library exposes a logic error that can cause an infinite loop during PDF processing. The bug occurs when a PDF that contains threads or articles is merged into a writer via the library’s merge function. The loop never terminates, resulting in excessive CPU consumption and eventual loss of responsiveness for the host application that is performing the merge.

Affected Systems

The vulnerability affects the py-pdf pypdf library in any version prior to 6.13.1. Updating to version 6.13.1 or later provides the fix that removes the infinite loop condition.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. The EPSS score is not available and the issue is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker can trigger the infinite loop by delivering a specially crafted PDF file to any process that invokes the merge operation. The attack vector may be local if the process runs on the attacker’s machine or remote if the application exposes a PDF handling endpoint. The impact is restricted to resource exhaustion and service denial; there is no code execution or data compromise.

Generated by OpenCVE AI on June 22, 2026 at 23:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the pypdf library to version 6.13.1 or later
  • Configure the application to validate PDFs and reject files that contain threads or articles before invoking the merge operation
  • Apply CPU or thread limits around PDF processing functions to prevent long‑running loops from exhausting system resources

Generated by OpenCVE AI on June 22, 2026 at 23:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Py-pdf
Py-pdf pypdf
Vendors & Products Py-pdf
Py-pdf pypdf

Mon, 22 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description pypdf is a free and open-source pure-python PDF library. Prior to 6.13.1, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires merging a file with threads/articles into a writer. This vulnerability is fixed in 6.13.1.
Title pypdf: Possible infinite loop when processing threads/articles in writer
Weaknesses CWE-835
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Py-pdf Pypdf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T20:28:28.412Z

Reserved: 2026-06-15T20:16:46.198Z

Link: CVE-2026-54651

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T00:15:03Z

Weaknesses
  • CWE-835

    Loop with Unreachable Exit Condition ('Infinite Loop')