pdf-oxide is vulnerable to Denial of Service (DoS)
59
Medium Risk
The Python bindings ship the same Rust core, whose reading-order text extraction pipeline groups vertical-writing (tategaki) spans into columns with a pairwise |a - b| <= tol X-center comparator that is not transitive. When a malformed or scanned CJK PDF produces many narrow spans whose centers step within the tolerance, the comparator reports contradictory orderings and Rust's sort_by/sort_unstable_by panics with a total-order violation that is uncatchable across the FFI boundary and aborts the host Python process. Oversized real-number literals that saturate to f64::INFINITY can also feed NaN glyph coordinates into the same sort path and reach the crash. The fix replaces the comparator with single-linkage column clustering that yields a genuine total order and clamps oversized literals to the spec limit at parse time.
You are affected if you are using a version that falls within the vulnerable range and you extract text from untrusted or scanned PDFs.
pdf-oxide is vulnerable to Denial of Service (DoS) in versions 0.3.61 - 0.3.72.
Upgrade the pdf-oxide library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant