cbcvebase.
CVE-2022-24859
published 2022-04-18

CVE-2022-24859: PyPDF2 is an open source python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. In versions prior to 1.27.5 an…

PriorityP422medium5.5CVSS 3.1
AVLACLPRNUIRSUCNINAH
EPSS
1.28%
66.4th percentile
PyPDF2 is an open source python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. In versions prior to 1.27.5 an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop if the PyPDF2 if the code attempts to get the content stream. The reason is that the last while-loop in `ContentStream._readInlineImage` only terminates when it finds the `EI` token, but never actually checks if the stream has already ended. This issue has been resolved in version `1.27.5`. Users unable to upgrade should validate and PDFs prior to iterating over their content stream.

Affected

7 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianpypdf2< pypdf2 1.27.9-1 (bookworm)pypdf2 1.27.9-1 (bookworm)
py-pdfpypdf2< 1.27.51.27.5
pypdf2_projectpypdf2< 1.27.51.27.5
pypdf2_projectpypdf2>= 0 < 1.26.0-4+deb11u11.26.0-4+deb11u1
pypdf2_projectpypdf2>= 0 < 1.27.9-11.27.9-1
pypdf2_projectpypdf2>= 0 < 1.27.51.27.5

CVSS provenance

nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv5.5MEDIUM
vendor_debian6.2MEDIUM
vendor_redhat6.2MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.