CVE-2022-24859: 
Python vulnerability analysis and mitigation

PyPDF2, a pure Python PDF library, was found to contain a security vulnerability (CVE-2022-24859) that was disclosed on April 18, 2022. The vulnerability affects versions prior to 1.27.5, where an attacker could craft a malicious PDF file containing manipulated inline images that would cause the application to enter an infinite loop when attempting to process the content stream (NVD, GitHub Advisory).

The vulnerability exists in the ContentStream._readInlineImage method of PyPDF2. The issue occurs because the last while-loop in this method only terminates when it finds the EI token but never actually checks if the stream has ended. This implementation flaw allows for the creation of a broken inline image that doesn't have an EI token, resulting in an infinite loop. The vulnerability has been assigned a CVSS v3.1 base score of 6.2 (Moderate), with metrics indicating Local attack vector, Low attack complexity, No privileges required, and High availability impact (GitHub Advisory).

When exploited, this vulnerability can lead to a denial of service condition by consuming system resources through an infinite loop. This affects applications using PyPDF2 to process PDF files, particularly when attempting to read content streams containing inline images (Ubuntu Security).

The vulnerability was patched in PyPDF2 version 1.27.5, released on April 15, 2022. Users are recommended to upgrade to this version or later to address the security issue. The fix includes improvements to the ContentStream._readInlineImage method to handle cases where the EI token is missing (GitHub Release).