GHSA-7wmm-6g5p-mv4pHighCVSS 7.5
pdfcpu through v0.11.1 contains an uncontrolled-recursion denial-of-service issue in pkg/pdfcpu...
🔗 CVE IDs covered (1)
📋 Description
pdfcpu through v0.11.1 contains an uncontrolled-recursion denial-of-service issue in pkg/pdfcpu/model/parse.go. The parser descends recursively through nested PDF objects, including arrays, via ParseObjectContext() and parseArray() without enforcing a maximum nesting depth.
🔗 References (5)
- https://nvd.nist.gov/vuln/detail/CVE-2026-38970
- https://github.com/pdfcpu/pdfcpu
- https://github.com/pdfcpu/pdfcpu/blob/a181c19acb322d6b93a1bbda9385a864a9ad6efe/pkg/pdfcpu/model/parse.go#L325-L366
- https://github.com/pdfcpu/pdfcpu/blob/a181c19acb322d6b93a1bbda9385a864a9ad6efe/pkg/pdfcpu/model/parse.go#L942-L970
- https://github.com/advisories/GHSA-7wmm-6g5p-mv4p