Miggo Logo
Miggo Vulnerability Database
CVE-2023-36810

CVE-2023-36810: PyPDF2 quadratic runtime with malformed PDF missing xref marker

6.2

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-36810
GHSA ID
GHSA-jrm6-h9cq-8gqw
EPSS Score
0.33324%
CWE
CWE-407
Published
6/30/2023
Updated
11/6/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
PyPDF2pip<= 1.27.81.27.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the readNextEndLine method's inefficient string handling. The commit diff shows the function was modified to replace sequential string concatenation (line = x + line) with a list-based approach (line_parts.append(x) followed by reverse+join). This change directly addresses the quadratic complexity issue described in CVE-2023-36810 and the associated GitHub advisory. The regression test added in Tests/test_reader.py confirms the performance impact relates to xref marker parsing.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *n *tt**k*r w*o us*s t*is vuln*r**ility **n *r**t * P** w*i** l***s to un*xp**t** lon* runtim*. T*is qu**r*ti* runtim* *lo*ks t** *urr*nt pro**ss *n* **n utiliz* * sin*l* *or* o* t** *PU *y ***%. It *o*s not *****t m*mory us***. ### P*t**

Reasoning

T** vuln*r**ility st*ms *rom t** r***N*xt*n*Lin* m*t*o*'s in***i*i*nt strin* **n*lin*. T** *ommit *i** s*ows t** *un*tion w*s mo*i*i** to r*pl*** s*qu*nti*l strin* *on**t*n*tion (lin* = x + lin*) wit* * list-**s** *ppro*** (lin*_p*rts.*pp*n*(x) *ollo