CVE-2023-33733: RCE Vulnerability in ReportLab PDF Toolkit

Share :

On May 31st, 2023, a working exploit has been publicly released for a remote code execution (RCE) vulnerability (CVE-2023-33733), impacting ReportLab PDF Toolkit python libraries of versions prior to 3.6.13. The researcher of the POC has previously contacted ReportLab in April 2023, detailing this vulnerability and ReportLab has released a fix on April 27th, 2023, through ReportLab 3.6.13. 

ReportLab PDF Toolkit is an open-source project that allows the creation of documents in Adobe’s Portable Document Format (PDF) using the Python programming language. The POC focuses on bypassing sandbox restrictions on ‘rl_safe_eval’, a function initially meant to prevent malicious code execution. This bypass allows access to built-in python functions, allowing an attacker to achieve RCE. Many applications and libraries using the Reportlab library PDF Toolkit, are vulnerable to remote code execution while transforming malicious HTML to PDF. 

Based on the availability of a proof-of-concept exploit for CVE-2023-33733 and the widespread use of the library in HTML to PDF processing, we assess that there is a high likelihood of this vulnerability being exploited in the wild. 

Product   Vulnerable Versions 
ReportLab PDF Toolkit                      Versions prior to 3.6.13                     

Recommendation for CVE-2023-33733

Please follow your organization’s patching and testing guidelines to avoid any operational impact. 

Apply the latest security patch for ReportLab PDF Toolkit 

Arctic Wolf strongly recommends installing the latest version of ReportLab to prevent potential exploitation of this vulnerability. To install the fixed version, use pip install reportlab==3.6.13. More information can be found here:  


Picture of James Liolios

James Liolios

James Liolios is a Senior Threat Intelligence Researcher at Arctic Wolf, where he keeps a watchful eye on the latest threats and threat actors to understand the potential impact to Arctic Wolf customers. He has a background of 9 years' experience in many areas of cybersecurity, holds a bachelor's degree in Information Security, and is also CISSP certified.
Share :
Table of Contents
Subscribe to our Monthly Newsletter