CVE-2023-46250 — Possible Infinite Loop when PdfWriter(clone_from) is used with a PDF

Description

### Impact An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. That is, for example, the case when the pypdf-user manipulates an incoming malicious PDF e.g. by merging it with another PDF or by adding annotations. ### Patches The issue was fixed with #2264 ### Workarounds If you cannot update your version of pypdf, you should modify `pypdf/generic/_data_structures.py` just like #2264 did.

How to fix CVE-2023-46250

To remediate CVE-2023-46250, upgrade the affected package to a fixed version below.

—upgrade to 3.17.0 or later

Is CVE-2023-46250 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 3.7.0, < 3.17.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.1	CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-46250
PATCHgithub.com/py-pdf/pypdf
WEBgithub.com/py-pdf/pypdf/commit/9b23ac3c9619492570011d551d521690de9a3e2d
WEBgithub.com/py-pdf/pypdf/pull/2264
WEB