DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27628: The Ouroboros Document: Infinite Loops in pypdf

#security #cve #cybersecurity

The Ouroboros Document: Infinite Loops in pypdf

Vulnerability ID: CVE-2026-27628
CVSS Score: 7.5
Published: 2026-02-25

A critical Denial of Service (DoS) vulnerability exists in the pypdf library, a ubiquitous tool for PDF manipulation in the Python ecosystem. By crafting a PDF with a circular cross-reference (xref) chain, an attacker can trap the parser in an infinite loop. This results in immediate 100% CPU utilization and process hang, potentially taking down document processing pipelines, web services, or serverless functions.

TL;DR

pypdf < 6.7.2 fails to track visited offsets when parsing PDF cross-reference tables. A malicious PDF with a /Prev pointer referencing an earlier byte offset creates an infinite loop, causing permanent CPU exhaustion.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-835 (Infinite Loop)
  • CVSS v3.1: 7.5 (High)
  • Attack Vector: Network (via file upload)
  • Impact: Denial of Service (CPU Exhaustion)
  • Exploit Status: PoC Available
  • EPSS Score: 0.04%

Affected Systems

  • pypdf < 6.7.2
  • Python applications processing untrusted PDFs
  • pypdf: < 6.7.2 (Fixed in: 6.7.2)

Code Analysis

Commit: 0fbd959

Fix for infinite loop in read_xref_tables_and_trailers

@@ -871,7 +871,16 @@ def _read_xref_tables_and_trailers(
         self.xref_free_entry = {}
         self.xref_objStm = {}
         self.trailer = DictionaryObject()
+        visited_xref_offsets: set[int] = set()
         while startxref is not None:
+            # Detect circular /Prev references in the xref chain
+            if startxref in visited_xref_offsets:
+                logger_warning(
+                    f"Circular xref chain detected at offset {startxref}, stopping",
+                    __name__,
+                )
+                break
+            visited_xref_offsets.add(startxref)
             # load the xref table
             stream.seek(startxref, 0)
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: Original issue report containing the circular reference PoC

Mitigation Strategies

  • Input Validation: Ensure PDF parsers have timeout mechanisms.
  • Resource Limits: Apply strict CPU/time limits to parser processes.
  • Library Updates: Keep dependencies like pypdf patched.

Remediation Steps:

  1. Update pypdf to version 6.7.2 or higher via pip: pip install pypdf --upgrade.
  2. If you cannot upgrade, verify if your application enforces a strict timeout on the PDF parsing thread/process to kill it if it hangs.
  3. Implement file pre-scanning if possible, though detecting this specific logical loop without parsing is difficult.

References

Read the full report for CVE-2026-27628 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)