QwikSec

Security Database

CVE

CWE

Training

CVE-2022-24859

Published: Apr 18, 2022

Modified: Apr 22, 2025

PUBLISHED

CVSS v3.1

6.2

MEDIUM

Description

PyPDF2 is an open source python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. In versions prior to 1.27.5 an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop if the PyPDF2 if the code attempts to get the content stream. The reason is that the last while-loop in `ContentStream._readInlineImage` only terminates when it finds the `EI` token, but never actually checks if the stream has already ended. This issue has been resolved in version `1.27.5`. Users unable to upgrade should validate and PDFs prior to iterating over their content stream.

Vendor	Product	Versions
py-pdf	PyPDF2	affected `< 1.27.5`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/py-pdf/PyPDF2/security/advisories/GHSA-xcjx-m2pj-8g79

https://github.com/py-pdf/PyPDF2/issues/329

https://github.com/py-pdf/PyPDF2/pull/740

https://github.com/py-pdf/PyPDF2/releases/tag/1.27.5

[debian-lts-announce] 20220603 [SECURITY] [DLA 3039-1] pypdf2 security update

mailing-list

[debian-lts-announce] 20230609 [SECURITY] [DLA 3451-1] pypdf2 security update

mailing-list

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.