Infinite loop Affecting pypdf package, versions [,6.14.2)


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.35% (28th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-PYPDF-17900050
  • published9 Jul 2026
  • disclosed8 Jul 2026
  • creditkoltiradw

Introduced: 8 Jul 2026

NewCVE-2026-59935  (opens in a new tab)
CWE-835  (opens in a new tab)

How to fix?

Upgrade pypdf to version 6.14.2 or higher.

Overview

pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files

Affected versions of this package are vulnerable to Infinite loop in the inline image decoding code in pypdf/generic/_image_inline.py. An attacker can hang text extraction or other content-stream parsing by supplying a PDF page with an unterminated inline image that uses the ASCII85 or ASCIIHex filter. When ContentStream._read_inline_image parses such malformed content, the decoder keeps scanning for the inline-image terminator instead of stopping at the end of the stream, so a crafted document can drive the parser into an endless loop and freeze the application processing the PDF.

Notes

  • The infinite-loop path is in the inline-image readers for the A85 and AHx filters, so PDFs that use other inline-image encodings are not part of this issue.
  • The hang shows up while parsing a page content stream, such as during text extraction or any other operation that walks ContentStream; document rendering paths that do not parse inline image data are outside this scope.

CVSS Base Scores

version 4.0
version 3.1