CVE-2022-24859 — Infinite Loop in Pypdf2

CWE-835 — Infinite Loop7 documents6 sources

Severity

5.5MEDIUMNVD

EPSS

0.1%

top 68.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Py-pdf Pypdf2 Pypdf2 Project Pypdf2 Debian Pypdf2 +1 more

Timeline

PublishedApr 18

Latest updateJun 19

Description

PyPDF2 is an open source python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. In versions prior to 1.27.5 an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop if the PyPDF2 if the code attempts to get the content stream. The reason is that the last while-loop in `ContentStream._readInlineImage` only terminates when it finds the `EI` token, but never actually checks if the stream has already ended. This issue has b…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages5 packages

▶CVEListV5py-pdf/pypdf2< 1.27.5

▶debiandebian/pypdf2< pypdf2 1.27.9-1 (bookworm)

▶NVDpypdf2_project/pypdf2< 1.27.5

▶PyPIpypdf2_project/pypdf2< 1.27.5

▶Debianpypdf2_project/pypdf2< 1.26.0-4+deb11u1+1

Also affects: Debian Linux 9.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Manipulated inline images can cause Infinite Loop in PyPDF2↗2022-04-22

▶

GHSA

Manipulated inline images can cause Infinite Loop in PyPDF2↗2022-04-22

▶

OSV

CVE-2022-24859: PyPDF2 is an open source python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files↗2022-04-18

▶

📋Vendor Advisories

Ubuntu

PyPDF2 vulnerability↗2023-06-19

▶

Red Hat

PyPDF2: infinite loop vulnerability↗2022-04-18

▶

Debian

CVE-2022-24859: pypdf2 - PyPDF2 is an open source python PDF library capable of splitting, merging, cropp...↗2022

▶