CVE-2026-54651: Infinite Loop Vulnerability in pypdf Article Thread Parser
Vulnerability ID: CVE-2026-54651
CVSS Score: 5.5
Published: 2026-07-09
An infinite loop vulnerability exists in the pure-Python PDF library pypdf prior to version 6.13.1. When parsing or merging a crafted PDF file containing a cyclic Article/Thread structure, the library fails to exit its traversal loop. This causes the executing thread to hang indefinitely, leading to 100% CPU utilization and a denial of service. The vulnerability is tracked under CVE-2026-54651 and GHSA-g9xf-7f8q-9mcj, with a CVSS base score of 5.5. This technical report provides a root cause analysis, code review, exploitation vectors, and mitigation paths.
TL;DR
A denial-of-service vulnerability in pypdf (< 6.13.1) allows attackers to trigger 100% CPU starvation by uploading a PDF containing cyclic Article structure definitions. The parser fails to detect sub-loops within the Thread linked list, resulting in an infinite execution loop. Upgrading to version 6.13.1 implements a visited-set lookup that mitigates this risk.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-835 (Loop with Unreachable Exit Condition)
- Attack Vector: Local / File Parsing (AV:L)
- CVSS Score: 5.5 (Medium, CVSS v3.1) / 6.9 (Medium, CVSS v4.0)
- EPSS Score: 0.00111 (Percentile: 1.58%)
- Impact: Denial of Service via 100% CPU starvation
- Exploit Status: PoC documented, non-weaponized
- KEV Status: Not Listed
Affected Systems
- pypdf library installations prior to version 6.13.1
- Web applications utilizing pypdf to merge, append, or modify untrusted PDF files
-
pypdf: < 6.13.1 (Fixed in:
6.13.1)
Code Analysis
Commit: 5efe472
Fix infinite loop in _add_articles_thread by tracking processed objects in a visited set and throwing LimitReachedError on cycles.
Exploit Details
- GitHub Pull Request: Regression testing block verifying loop-detection mechanics under cyclic configurations.
Mitigation Strategies
- Upgrade pypdf to version 6.13.1 or higher.
- Configure process-level execution timeouts to automatically kill hung worker threads.
- Add defensive error handling to catch LimitReachedError exceptions in the application code.
- Implement CPU resource limits on parsing containers to isolate resource exhaustion.
Remediation Steps:
- Audit the software bill of materials (SBOM) and requirement configuration files to identify vulnerable pypdf installations.
- Update dependencies in requirements.txt or poetry.lock to require pypdf >= 6.13.1.
- Implement a try-except structure enclosing PDF modification operations to trap the LimitReachedError.
- Deploy updated software containers and verify execution limits are enforced in the orchestration environment.
References
- GitHub Pull Request #3839
- pypdf 6.13.1 Release Changelog
- GitHub Security Advisory GHSA-g9xf-7f8q-9mcj
- Fix Commit 5efe472
- NVD CVE-2026-54651 Detail
Read the full report for CVE-2026-54651 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)