First published: Mon Apr 18 2022(Updated: )
### Impact An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop if the PyPDF2 user wrote the following code: ```python from PyPDF2 import PdfFileReader, PdfFileWriter from PyPDF2.pdf import ContentStream reader = PdfFileReader("malicious.pdf", strict=False) for page in reader.pages: ContentStream(page.getContents(), reader) ``` ### Patches [`PyPDF2==1.27.5`](https://pypi.org/project/PyPDF2) and later are patched. Credits to [Sebastian Krause](https://github.com/sekrause) for finding ([issue](https://github.com/py-pdf/PyPDF2/issues/329)) and fixing ([PR](https://github.com/py-pdf/PyPDF2/pull/740)) it.
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Pypdf2 Project Pypdf2 | <1.27.5 | |
Debian Debian Linux | =9.0 | |
pip/PyPDF2 | <1.27.5 | 1.27.5 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-24859 is a vulnerability in PyPDF2, an open source python PDF library, that allows an attacker to craft a malicious PDF file that can cause an infinite loop in the software.
CVE-2022-24859 can lead to an infinite loop in PyPDF2 if a specially crafted PDF file is processed by the software.
Versions of PyPDF2 prior to 1.27.5 are affected by CVE-2022-24859.
CVE-2022-24859 has a severity rating of 5.5, which is considered medium.
To fix CVE-2022-24859, update PyPDF2 to version 1.27.5 or newer.