DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-54651: CVE-2026-54651: Infinite Loop Vulnerability in pypdf Article Thread Parser

CVE-2026-54651: Infinite Loop Vulnerability in pypdf Article Thread Parser

Vulnerability ID: CVE-2026-54651
CVSS Score: 5.5
Published: 2026-07-09

An infinite loop vulnerability exists in the pure-Python PDF library pypdf prior to version 6.13.1. When parsing or merging a crafted PDF file containing a cyclic Article/Thread structure, the library fails to exit its traversal loop. This causes the executing thread to hang indefinitely, leading to 100% CPU utilization and a denial of service. The vulnerability is tracked under CVE-2026-54651 and GHSA-g9xf-7f8q-9mcj, with a CVSS base score of 5.5. This technical report provides a root cause analysis, code review, exploitation vectors, and mitigation paths.

TL;DR

A denial-of-service vulnerability in pypdf (< 6.13.1) allows attackers to trigger 100% CPU starvation by uploading a PDF containing cyclic Article structure definitions. The parser fails to detect sub-loops within the Thread linked list, resulting in an infinite execution loop. Upgrading to version 6.13.1 implements a visited-set lookup that mitigates this risk.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-835 (Loop with Unreachable Exit Condition)
  • Attack Vector: Local / File Parsing (AV:L)
  • CVSS Score: 5.5 (Medium, CVSS v3.1) / 6.9 (Medium, CVSS v4.0)
  • EPSS Score: 0.00111 (Percentile: 1.58%)
  • Impact: Denial of Service via 100% CPU starvation
  • Exploit Status: PoC documented, non-weaponized
  • KEV Status: Not Listed

Affected Systems

  • pypdf library installations prior to version 6.13.1
  • Web applications utilizing pypdf to merge, append, or modify untrusted PDF files
  • pypdf: < 6.13.1 (Fixed in: 6.13.1)

Code Analysis

Commit: 5efe472

Fix infinite loop in _add_articles_thread by tracking processed objects in a visited set and throwing LimitReachedError on cycles.

Exploit Details

  • GitHub Pull Request: Regression testing block verifying loop-detection mechanics under cyclic configurations.

Mitigation Strategies

  • Upgrade pypdf to version 6.13.1 or higher.
  • Configure process-level execution timeouts to automatically kill hung worker threads.
  • Add defensive error handling to catch LimitReachedError exceptions in the application code.
  • Implement CPU resource limits on parsing containers to isolate resource exhaustion.

Remediation Steps:

  1. Audit the software bill of materials (SBOM) and requirement configuration files to identify vulnerable pypdf installations.
  2. Update dependencies in requirements.txt or poetry.lock to require pypdf >= 6.13.1.
  3. Implement a try-except structure enclosing PDF modification operations to trap the LimitReachedError.
  4. Deploy updated software containers and verify execution limits are enforced in the orchestration environment.

References


Read the full report for CVE-2026-54651 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)