CVE-2023-36807

Name of the Vulnerable Software and Affected Versions PyPDF2 versions prior to 2.10.6

Description The issue is related to a pure-python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. An attacker can craft a PDF that leads to an infinite loop, blocking the current process and utilizing a single core of the CPU by 100%. This does not affect memory usage. For example, this can occur when a user extracts metadata from a malformed PDF. The infinite loop can be triggered when the read object function in PyPDF2/generic/ data structures.py is called.

Recommendations To resolve the issue, upgrade to version 2.10.6 or later. If an upgrade is not possible, modify PyPDF2/generic/ data structures.py::read object to throw an error when encountering an invalid elementary object, by replacing the existing code with the provided patch.