Listen to this Post
The vulnerability in pypdf occurs during the parsing of PDF outlines or bookmarks. When the library accesses these elements, it traverses a tree structure representing the document’s hierarchy. An attacker can craft a malicious PDF by manipulating the outline entries to create circular references or recursive loops. Specifically, by setting parent and child pointers in the outline dictionary to point back to each other, the traversal algorithm enters an infinite cycle. This happens because the code does not implement cycle detection or limit recursion depth. When pypdf processes such a PDF, functions like `getOutlines()` or similar methods that access bookmarks repeatedly visit the same nodes without termination. The infinite loop consumes CPU resources indefinitely, leading to a denial of service. The issue is triggered only when outlines are accessed, which may occur during document navigation, indexing, or extraction tasks. The fix in version 6.6.2, via PR 3610, adds checks to track visited nodes and break cycles, ensuring safe traversal.
Platform: pypdf
Version: Before 6.6.2
Vulnerability: Infinite loop processing
Severity: Moderate
date: Jan 26, 2026
Prediction: Patched Jan 2026
What Undercode Say:
Analytics:
Bash command to check version:
pip show pypdf | grep Version
Bash command to upgrade:
pip install pypdf==6.6.2
Code snippet triggering vulnerability:
from pypdf import PdfReader
reader = PdfReader(“malicious.pdf”)
outlines = reader.outlines
How Exploit:
Craft PDF with cyclic outline references and trigger processing via pypdf.
Protection from this CVE:
Upgrade to pypdf 6.6.2 or apply PR 3610 patches.
Impact:
Denial of service via infinite loop.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

