Tools: CVE-2026-24688: Ouroboros in the Outline: Infinite Loops in pypdf (CVE-2026-24688)

Ouroboros in the Outline: Infinite Loops in pypdf (CVE-2026-24688) ## ⚠️ Exploit Status: POC ## Technical Details ## Affected Systems ## Code Analysis ## Commit: b1282f8 ## Exploit Details ## Mitigation Strategies ## References Vulnerability ID: CVE-2026-24688 CVSS Score: 7.5 Published: 2026-01-26 A Denial of Service (DoS) vulnerability in the popular pypdf library allows attackers to trigger an infinite loop by crafting a PDF with cyclic outline references. This results in 100% CPU utilization and application hangs. The pypdf library (< 6.6.2) fails to detect cycles when parsing PDF outlines (bookmarks). An attacker can craft a malicious PDF where bookmark A points to bookmark B, and bookmark B points back to A, causing the parser to enter an infinite loop. This effectively hangs the application, consuming all available CPU resources. SEC: Detect cyclic references when retrieving outlines Read the full report for CVE-2026-24688 on our website for more details including interactive diagrams and full exploit analysis. Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to ? It will become hidden in your post, but will still be visible via the comment's permalink. as well , this person and/or COMMAND_BLOCK: @@ -123,6 +123,7 @@ def _get_outline( self, node: Optional[DictionaryObject] = None, outline: Optional[Any] = None, + visited: Optional[set[int]] = None, ) -> OutlineType: if outline is None: outline = [] COMMAND_BLOCK: @@ -123,6 +123,7 @@ def _get_outline( self, node: Optional[DictionaryObject] = None, outline: Optional[Any] = None, + visited: Optional[set[int]] = None, ) -> OutlineType: if outline is None: outline = [] COMMAND_BLOCK: @@ -123,6 +123,7 @@ def _get_outline( self, node: Optional[DictionaryObject] = None, outline: Optional[Any] = None, + visited: Optional[set[int]] = None, ) -> OutlineType: if outline is None: outline = [] - Vulnerability ID: CVE-2026-24688 - CWE ID: CWE-835 - Type: Infinite Loop / DoS - CVSS: 7.5 (High) - Attack Vector: Network (File Upload) - Patch Date: 2026-01-26 - pypdf < 6.6.2 - Applications using pypdf for outline/bookmark extraction - PDF processing pipelines - Web applications accepting PDF uploads - pypdf: < 6.6.2 (Fixed in: 6.6.2) - GitHub: Proof of Concept PDF file with circular outline references provided in the issue tracker. - Update pypdf to version 6.6.2 immediately. - Implement strict timeouts for all PDF processing tasks. - Run PDF processing in isolated sandboxes or containers with resource limits. - Monitor application metrics for unexpected CPU spikes. - Check your current version: pip show pypdf - Upgrade: pip install pypdf>=6.6.2 - Verify the fix by running the PoC script against the updated library. - Re-deploy the application services. - GitHub Advisory GHSA-2q4j-m29v-hq73 - pypdf Documentation