pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for malformed startxref. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for invalid startxref entries.
When rebuilding the cross-reference table, PDF files with lots of whitespace characters become problematic. Only the non-strict reading mode is affected. Only the non-strict reading mode is affected.
This issue has been patched in version 6.6.0.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
None
No data leak
Integrity
None
No data modification
Availability
Low
Partial disruption
CVSS Vector v4.0
Weakness Type (CWE)
Vulnerable Products 1
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Pypdf_Project Pypdf
cpe:2.3:a:pypdf_project:pypdf:*:*:*:*:*:*:*:*
|
— |
6.6.0
|
References 4
https://github.com/py-pdf/pypdf/commit/294165726b646bb7799be1cc787f593f2fdbcf45
security-advisories@github.com
https://github.com/py-pdf/pypdf/pull/3594
security-advisories@github.com
https://github.com/py-pdf/pypdf/releases/tag/6.6.0
security-advisories@github.com
https://github.com/py-pdf/pypdf/security/advisories/GHSA-4f6g-68pf-7vhv
security-advisories@github.com