CVE-2023-24808 MEDIUM

CVE-2023-24808: Denial Of Service when opening a corrupt PDF file in pdfio

Vendor Michaelrsweet

Product pdfio

Weakness CWE-835

Published February 7, 2023

Last update March 10, 2025

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

PDFio is a C library for reading and writing PDF files. In versions prior to 1.1.0 a denial of service (DOS) vulnerability exists in the pdfio parser. Crafted pdf files can cause the program to run at 100% utilization and never terminate. The pdf which causes this crash found in testing is about 28kb in size and was discovered via fuzzing. Anyone who uses this library either as a standalone binary or as a library can be DOSed when attempting to parse this type of file. Web servers or other automated processes which rely on this code to turn pdf submissions into plaintext can be DOSed when an attacker uploads the pdf. Please see the linked GHSA for an example pdf. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

February 7, 2023 CVE published

March 10, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-24808 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/835.html

Related vulnerabilities

CVE-2023-24808: Denial Of Service when opening a corrupt PDF file in pdfio

01Description

02Disclosure timeline

03References

04Related CVE