PatchSiren cyber security CVE debrief

CVE-2017-5852 Podofo Project CVE debrief

CVE-2017-5852 is a denial-of-service issue in PoDoFo 0.9.4 where a crafted PDF can drive PoDoFo::PdfPage::GetInheritedKeyFromObject into an infinite loop. The result is availability impact only; the NVD record assigns CVSS 3.0 5.5 (MEDIUM) with a vector that indicates local access and user interaction.

Vendor: Podofo Project
Product: CVE-2017-5852
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-03-01
Original CVE updated: 2026-05-13
Advisory published: 2017-03-01
Advisory updated: 2026-05-13

Who should care

Organizations and developers that parse or process untrusted PDF files with PoDoFo 0.9.4 should pay attention, especially if the library is used in desktop tools, document pipelines, or file-conversion workflows.

Technical summary

The vulnerable function is PoDoFo::PdfPage::GetInheritedKeyFromObject in base/PdfVariant.cpp. NVD maps the issue to CWE-835 (infinite loop) and lists PoDoFo 0.9.4 as the affected version. A crafted file can cause the parser to loop indefinitely, exhausting processing resources and denying service. The supplied record description says "remote attackers" may trigger the issue, while the CVSS vector is AV:L/PR:N/UI:R, so the record should be read carefully in context.

Defensive priority

Medium. This is an availability-only issue, but it can still stall services or crash workflows that handle untrusted PDFs. Priority increases where PoDoFo processes externally supplied files or where parsing hangs would impact user-facing operations.

Recommended defensive actions

Confirm whether PoDoFo 0.9.4 is in use anywhere in your environment.
Upgrade or replace the vulnerable PoDoFo version if a fixed release is available from your software vendor or package maintainer.
Treat untrusted PDF inputs as high-risk and isolate parsing in a constrained process or service.
Add timeouts, watchdogs, or job supervision around PDF processing to limit the effect of hangs.
Review any workflows that automatically ingest PDFs from external sources and reduce exposure where possible.

Evidence notes

The vulnerability description and NVD record identify an infinite loop in PoDoFo::PdfPage::GetInheritedKeyFromObject affecting PoDoFo 0.9.4. NVD lists CVSS 3.0 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H and CWE-835. The record was published on 2017-03-01, with supporting references dated 2017-02-01 and 2017-02-02. Note that the human-readable description mentions remote attackers, while the CVSS vector indicates local access with user interaction; that context mismatch is reflected here rather than resolved by assumption.

Official resources

CVE-2017-5852 CVE record
CVE.org
CVE-2017-5852 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry

CVE-2017-5852 was published on 2017-03-01. The supplied references show public discussion on 2017-02-01 and 2017-02-02, which provides timing context for the disclosure, but the CVE publication date remains 2017-03-01.