Skip to content

Add CVSS 3.1 score for GHSA-2q4j-m29v-hq73 (pypdf Infinite Loop) #6850

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
sunnypatell wants to merge 1 commit into
base: sunnypatell/advisory-improvement-6850
Choose a base branch
from
Open

Add CVSS 3.1 score for GHSA-2q4j-m29v-hq73 (pypdf Infinite Loop) #6850

sunnypatell wants to merge 1 commit into from
+5 −1

Conversation

@sunnypatell
Copy link

@sunnypatell sunnypatell commented Feb 12, 2026

Changes

Added missing CVSS 3.1 scoring to GHSA-2q4j-m29v-hq73 (pypdf Infinite Loop when Processing Bookmarks).

Added:

  • CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5 High)

Reason for change

This advisory had no CVSS 3.1 score and was marked as "MODERATE" severity, but NVD's CVSS 3.1 assessment scores it 7.5 HIGH. Adding the CVSS 3.1 vector provides more accurate severity context for downstream consumers.

CVSS justification

  • AV:N because crafted PDFs can be received from any network source (web uploads, email attachments, API endpoints)
  • AC:L because the infinite loop triggers reliably when processing any PDF with circular outline/bookmark references
  • PR:N because no authentication is required to submit a crafted PDF to a processing service
  • UI:N because PDF processing is typically automated (document pipelines, upload handlers, indexing services)
  • C:N/I:N because the vulnerability only causes a hang, not data disclosure or modification
  • A:H because the infinite loop permanently hangs the processing thread, causing denial of service

The GHSA severity label says "MODERATE" but CVSS 3.1 scoring from NVD rates this as HIGH (7.5). The discrepancy likely comes from the existing CVSS 4.0 vector which uses AV:L (local), but in practice PDFs are received and processed over the network.

Supporting links

Copilot AI review requested due to automatic review settings February 12, 2026 03:38
@github-actions github-actions bot changed the base branch from main to sunnypatell/advisory-improvement-6850 February 12, 2026 03:39
Copilot AI reviewed Feb 12, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds the missing CVSS 3.1 score/vector to the GHSA advisory for the pypdf outlines/bookmarks infinite-loop DoS, aligning the advisory with NVD’s CVSS 3.1 assessment.

Changes:

  • Added a CVSS 3.1 severity entry (CVSS_V3) with the provided vector/score string.
  • Kept the existing CVSS 4.0 severity entry intact.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sunnypatell