CVE-2022-24859

CVE-2022-24859 is a medium-severity vulnerability in Pypdf2 Project Pypdf2 with a CVSS 3.x base score of 6.2. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-835.

Key facts

Description

PyPDF2 is an open source python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. In versions prior to 1.27.5 an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop if the PyPDF2 if the code attempts to get the content stream. The reason is that the last while-loop in `ContentStream._readInlineImage` only terminates when it finds the `EI` token, but never actually checks if the stream has already ended. This issue has been resolved in version `1.27.5`. Users unable to upgrade should validate and PDFs prior to iterating over their content stream.

Frequently asked questions

What is CVE-2022-24859?
PyPDF2 is an open source python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. In versions prior to 1.27.5 an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop if the PyPDF2 if the code attempts to get the content stream. The reason is that the last while-loop in `ContentStream._readInlineImage` only terminates when it finds the `EI` token, but never actually checks if the stream has already ended. This issue has been resolved in version `1.27.5`. Users unable to upgrade should validate and PDFs prior to iterating over their content stream.
How severe is CVE-2022-24859?
CVE-2022-24859 has a CVSS 3.x base score of 6.2, rated medium severity. It is exploitable over local access with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
Is CVE-2022-24859 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (67th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2022-24859?
CVE-2022-24859 primarily affects Pypdf2 Project Pypdf2. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2022-24859?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
When was CVE-2022-24859 published?
CVE-2022-24859 was published on 2022-04-18 and last updated on 2026-06-17.

References

Affected products (2)

More vulnerabilities in Pypdf2 Project Pypdf2

All CVEs affecting Pypdf2 Project Pypdf2 →

Other CWE-835 (Loop with Unreachable Exit Condition (Infinite Loop)) vulnerabilities

Browse all CWE-835 (Loop with Unreachable Exit Condition (Infinite Loop)) vulnerabilities →