CVE-2023-46250: 
Python vulnerability analysis and mitigation

CVE-2023-46250 affects pypdf, a free and open-source pure-python PDF library. The vulnerability exists in versions 3.7.0 through 3.16.4, where an attacker can craft a PDF that leads to an infinite loop when using the PdfWriter(clone_from) functionality (NVD, GitHub Advisory).

The vulnerability is classified as an infinite loop vulnerability (CWE-835) with a CVSS v3.1 base score of 5.5 MEDIUM (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H). The issue occurs when processing PDFs with self-referential objects, causing the clone operation to enter an infinite recursion loop (NVD).

When exploited, the vulnerability causes the current process to enter an infinite loop that can utilize a single CPU core at 100% capacity. This occurs when users manipulate incoming malicious PDFs, such as merging them with other PDFs or adding annotations. The vulnerability does not affect memory usage (GitHub Advisory).

The vulnerability has been fixed in pypdf version 3.17.0. For users unable to upgrade, a workaround is available by manually modifying the pypdf/generic/datastructures.py file to implement the patch that adds a visited memo to check if the current object in the clone operation has already been visited (GitHub PR, GitHub Advisory).