[Security Report] Denial of Service (DoS) due to Uncontrolled Recursion in pdf-reader gem

kinshark astori

unread,

Aug 2, 2025, 6:57:37 AMAug 2

to PDF::Reader

Hi pdf-reader developers,

I'm writing to report a Denial of Service (DoS) vulnerability I discovered in the pdf-reader gem (version 2.14.1). When parsing a specially crafted PDF file with circular object references, the library enters an infinite recursive loop, which results in a SystemStackError and crashes the application. An attacker could use this to cause a DoS condition in any service that uses pdf-reader to process untrusted PDF files.

I have prepared a detailed vulnerability report and a proof-of-concept (PoC) crash file. You can find all the materials in the following Google Drive folder: https://drive.google.com/drive/folders/11MK4cfn6sesBD9uRb3uwLR71wfM2fbJr

Please let me know if you need any assistance in debugging or fixing this issue. I'm happy to help in any way I can.

Once you have confirmed the vulnerability, I would appreciate it if you could take the lead on requesting a CVE identifier for this issue.

Thank you for your time and attention to this matter.

Best regards,
Yann
Security Team @ Riema Labs

James Healy

unread,

Aug 9, 2025, 11:35:12 PMAug 9

to pdf-r...@googlegroups.com

Thanks for the clear report and reproduction steps.

I have prepared a fix on Github and would value your feedback:
https://github.com/yob/pdf-reader/pull/567

Note that I have included your input PDF in a test case to prove the
fix and prevent regressions. Do I have your permission to use it that
way?

James

> --
> You received this message because you are subscribed to the Google Groups "PDF::Reader" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to pdf-reader+...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/pdf-reader/bc4c0027-0448-47b8-a6be-7d82397e44d6n%40googlegroups.com.

kinshark astori

unread,

Aug 15, 2025, 10:00:28 AMAug 15

to PDF::Reader

Hi James,

Thanks so much for the incredibly fast response and for preparing a fix already! We really appreciate you taking this report seriously.

Yes, you absolutely have our permission to include the PoC file in your test suite. We're glad it can be used to prevent future regressions.

I'll take a look at the pull request shortly and will leave any feedback directly on GitHub.

Regarding the next steps, once the fix is merged and a new version is released, we can proceed with the CVE request. Please let me know if you'd prefer to request the CVE identifier yourself or if you'd like me to handle the submission. We're happy to do it either way.