<?xml version='1.0' encoding='UTF-8'?>
<?xml-stylesheet href="/static/style.xsl" type="text/xsl"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/" version="2.0">
  <channel>
    <title>Most recent sightings.</title>
    <link>https://vulnerability.circl.lu</link>
    <description>Contains only the most 10 recent sightings.</description>
    <docs>http://www.rssboard.org/rss-specification</docs>
    <generator>python-feedgen</generator>
    <language>en</language>
    <lastBuildDate>Sun, 12 Jul 2026 13:43:45 +0000</lastBuildDate>
    <item>
      <title>b4ba8120-bc88-45c6-9480-ff4cb68fbba0</title>
      <link>https://vulnerability.circl.lu/sighting/b4ba8120-bc88-45c6-9480-ff4cb68fbba0/export</link>
      <description>{"uuid": "b4ba8120-bc88-45c6-9480-ff4cb68fbba0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-54651", "type": "seen", "source": "https://gist.github.com/alon710/29f907693324d6187f6b141f2c73d47b", "content": "# CVE-2026-54651: CVE-2026-54651: Infinite Loop Vulnerability in pypdf Article Thread Parser\n\n&amp;gt; **CVSS Score:** 5.5\n&amp;gt; **Published:** 2026-07-09\n&amp;gt; **Full Report:** https://cvereports.com/reports/CVE-2026-54651\n\n## Summary\nAn infinite loop vulnerability exists in the pure-Python PDF library pypdf prior to version 6.13.1. When parsing or merging a crafted PDF file containing a cyclic Article/Thread structure, the library fails to exit its traversal loop. This causes the executing thread to hang indefinitely, leading to 100% CPU utilization and a denial of service. The vulnerability is tracked under CVE-2026-54651 and GHSA-g9xf-7f8q-9mcj, with a CVSS base score of 5.5. This technical report provides a root cause analysis, code review, exploitation vectors, and mitigation paths.\n\n## TL;DR\nA denial-of-service vulnerability in pypdf (&amp;lt; 6.13.1) allows attackers to trigger 100% CPU starvation by uploading a PDF containing cyclic Article structure definitions. The parser fails to detect sub-loops within the Thread linked list, resulting in an infinite execution loop. Upgrading to version 6.13.1 implements a visited-set lookup that mitigates this risk.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-835 (Loop with Unreachable Exit Condition)\n- **Attack Vector**: Local / File Parsing (AV:L)\n- **CVSS Score**: 5.5 (Medium, CVSS v3.1) / 6.9 (Medium, CVSS v4.0)\n- **EPSS Score**: 0.00111 (Percentile: 1.58%)\n- **Impact**: Denial of Service via 100% CPU starvation\n- **Exploit Status**: PoC documented, non-weaponized\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- pypdf library installations prior to version 6.13.1\n- Web applications utilizing pypdf to merge, append, or modify untrusted PDF files\n- **pypdf**: &amp;lt; 6.13.1 (Fixed in: `6.13.1`)\n\n## Mitigation\n\n- Upgrade pypdf to version 6.13.1 or higher.\n- Configure process-level execution timeouts to automatically kill hung worker threads.\n- Add defensive error handling to catch LimitReachedError exceptions in the application code.\n- Implement CPU resource limits on parsing containers to isolate resource exhaustion.\n\n**Remediation Steps:**\n1. Audit the software bill of materials (SBOM) and requirement configuration files to identify vulnerable pypdf installations.\n2. Update dependencies in requirements.txt or poetry.lock to require pypdf &amp;gt;= 6.13.1.\n3. Implement a try-except structure enclosing PDF modification operations to trap the LimitReachedError.\n4. Deploy updated software containers and verify execution limits are enforced in the orchestration environment.\n\n## References\n\n- [GitHub Pull Request #3839](https://github.com/py-pdf/pypdf/pull/3839)\n- [pypdf 6.13.1 Release Changelog](https://github.com/py-pdf/pypdf/releases/tag/6.13.1)\n- [GitHub Security Advisory GHSA-g9xf-7f8q-9mcj](https://github.com/py-pdf/pypdf/security/advisories/GHSA-g9xf-7f8q-9mcj)\n- [Fix Commit 5efe472](https://github.com/py-pdf/pypdf/commit/5efe472b07e36d1ae22c9991d744d013cfb2f214)\n- [NVD CVE-2026-54651 Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-54651)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-54651) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-09T21:41:51.037198Z"}</description>
      <content:encoded>{"uuid": "b4ba8120-bc88-45c6-9480-ff4cb68fbba0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-54651", "type": "seen", "source": "https://gist.github.com/alon710/29f907693324d6187f6b141f2c73d47b", "content": "# CVE-2026-54651: CVE-2026-54651: Infinite Loop Vulnerability in pypdf Article Thread Parser\n\n&amp;gt; **CVSS Score:** 5.5\n&amp;gt; **Published:** 2026-07-09\n&amp;gt; **Full Report:** https://cvereports.com/reports/CVE-2026-54651\n\n## Summary\nAn infinite loop vulnerability exists in the pure-Python PDF library pypdf prior to version 6.13.1. When parsing or merging a crafted PDF file containing a cyclic Article/Thread structure, the library fails to exit its traversal loop. This causes the executing thread to hang indefinitely, leading to 100% CPU utilization and a denial of service. The vulnerability is tracked under CVE-2026-54651 and GHSA-g9xf-7f8q-9mcj, with a CVSS base score of 5.5. This technical report provides a root cause analysis, code review, exploitation vectors, and mitigation paths.\n\n## TL;DR\nA denial-of-service vulnerability in pypdf (&amp;lt; 6.13.1) allows attackers to trigger 100% CPU starvation by uploading a PDF containing cyclic Article structure definitions. The parser fails to detect sub-loops within the Thread linked list, resulting in an infinite execution loop. Upgrading to version 6.13.1 implements a visited-set lookup that mitigates this risk.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-835 (Loop with Unreachable Exit Condition)\n- **Attack Vector**: Local / File Parsing (AV:L)\n- **CVSS Score**: 5.5 (Medium, CVSS v3.1) / 6.9 (Medium, CVSS v4.0)\n- **EPSS Score**: 0.00111 (Percentile: 1.58%)\n- **Impact**: Denial of Service via 100% CPU starvation\n- **Exploit Status**: PoC documented, non-weaponized\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- pypdf library installations prior to version 6.13.1\n- Web applications utilizing pypdf to merge, append, or modify untrusted PDF files\n- **pypdf**: &amp;lt; 6.13.1 (Fixed in: `6.13.1`)\n\n## Mitigation\n\n- Upgrade pypdf to version 6.13.1 or higher.\n- Configure process-level execution timeouts to automatically kill hung worker threads.\n- Add defensive error handling to catch LimitReachedError exceptions in the application code.\n- Implement CPU resource limits on parsing containers to isolate resource exhaustion.\n\n**Remediation Steps:**\n1. Audit the software bill of materials (SBOM) and requirement configuration files to identify vulnerable pypdf installations.\n2. Update dependencies in requirements.txt or poetry.lock to require pypdf &amp;gt;= 6.13.1.\n3. Implement a try-except structure enclosing PDF modification operations to trap the LimitReachedError.\n4. Deploy updated software containers and verify execution limits are enforced in the orchestration environment.\n\n## References\n\n- [GitHub Pull Request #3839](https://github.com/py-pdf/pypdf/pull/3839)\n- [pypdf 6.13.1 Release Changelog](https://github.com/py-pdf/pypdf/releases/tag/6.13.1)\n- [GitHub Security Advisory GHSA-g9xf-7f8q-9mcj](https://github.com/py-pdf/pypdf/security/advisories/GHSA-g9xf-7f8q-9mcj)\n- [Fix Commit 5efe472](https://github.com/py-pdf/pypdf/commit/5efe472b07e36d1ae22c9991d744d013cfb2f214)\n- [NVD CVE-2026-54651 Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-54651)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-54651) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-09T21:41:51.037198Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/b4ba8120-bc88-45c6-9480-ff4cb68fbba0/export</guid>
      <pubDate>Thu, 09 Jul 2026 21:41:51 +0000</pubDate>
    </item>
  </channel>
</rss>
