CVE-2023-36464: 
Python vulnerability analysis and mitigation

pypdf is an open source, pure-python PDF library that was found to contain a vulnerability (CVE-2023-36464) where an attacker could craft a PDF file that leads to an infinite loop when executing the __parse_content_stream function. This vulnerability was introduced in pull request #969 and was later resolved in pull request #1828. The issue affects pypdf versions up to 3.8.1 and PyPDF2 versions from 2.2.0 (NVD, GitHub Advisory).

The vulnerability occurs when parsing PDF content streams, specifically when a comment in the PDF is not followed by a character. The infinite loop condition exists in the file pypdf/generic/_data_structures.py where the line while peek not in (b"\r", b"\n") fails to account for an empty byte string case. The vulnerability has been assigned a CVSS v3.1 base score of 6.2 (MEDIUM) with vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating local attack vector with no privileges required (GitHub Advisory).

When exploited, this vulnerability causes the affected process to enter an infinite loop, consuming 100% of a single CPU core. While it does not impact memory usage, it effectively creates a denial of service condition for the affected process. The issue is triggered when attempting to extract text from a specially crafted PDF file (GitHub Advisory).

Users are advised to upgrade to pypdf version 3.9.0 or later which contains the fix. For those unable to upgrade, a workaround is available by modifying the file pypdf/generic/_data_structures.py to change the line while peek not in (b"\r", b"\n") to while peek not in (b"\r", b"\n", b""). PyPDF2 users are recommended to migrate to pypdf (GitHub Advisory).