Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/pypdf2@1.27.0

Type pypi

Namespace

Name pypdf2

Version 1.27.0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 1.27.9

Latest_non_vulnerable_version 1.27.9

Affected_by_vulnerabilities

url VCID-2jvc-j78s-fkg3

vulnerability_id VCID-2jvc-j78s-fkg3

summary PyPDF2 is an open source python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. In versions prior to 1.27.5 an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop if the PyPDF2 if the code attempts to get the content stream. The reason is that the last while-loop in `ContentStream._readInlineImage` only terminates when it finds the `EI` token, but never actually checks if the stream has already ended. This issue has been resolved in version `1.27.5`. Users unable to upgrade should validate and PDFs prior to iterating over their content stream.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24859.json

reference_id

reference_type

scores

value	5.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24859.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-24859

reference_id

reference_type

scores

value	0.00127
scoring_system	epss
scoring_elements	0.31702
published_at	2026-06-12T12:55:00Z

value	0.00127
scoring_system	epss
scoring_elements	0.31511
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-24859

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24859
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24859

reference_url

https://github.com/pypa/advisory-database/tree/main/vulns/pypdf2/PYSEC-2022-194.yaml

reference_id

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/advisory-database/tree/main/vulns/pypdf2/PYSEC-2022-194.yaml

reference_url

https://github.com/py-pdf/PyPDF2

reference_id

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/py-pdf/PyPDF2

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009879
reference_id	1009879
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009879

reference_url

https://github.com/py-pdf/PyPDF2/releases/tag/1.27.5

reference_id

1.27.5

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:48:47Z/

url

https://github.com/py-pdf/PyPDF2/releases/tag/1.27.5

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2076488
reference_id	2076488
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2076488

reference_url

https://github.com/py-pdf/PyPDF2/issues/329

reference_id

329

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:48:47Z/

url

https://github.com/py-pdf/PyPDF2/issues/329

reference_url

https://github.com/py-pdf/PyPDF2/pull/740

reference_id

740

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:48:47Z/

url

https://github.com/py-pdf/PyPDF2/pull/740

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-24859

reference_id

CVE-2022-24859

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-24859

reference_url

https://github.com/advisories/GHSA-xcjx-m2pj-8g79

reference_id

GHSA-xcjx-m2pj-8g79

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-xcjx-m2pj-8g79

reference_url

https://github.com/py-pdf/PyPDF2/security/advisories/GHSA-xcjx-m2pj-8g79

reference_id

GHSA-xcjx-m2pj-8g79

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:48:47Z/

url

https://github.com/py-pdf/PyPDF2/security/advisories/GHSA-xcjx-m2pj-8g79

reference_url

https://lists.debian.org/debian-lts-announce/2022/06/msg00001.html

reference_id

msg00001.html

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:48:47Z/

url

https://lists.debian.org/debian-lts-announce/2022/06/msg00001.html

reference_url

https://lists.debian.org/debian-lts-announce/2023/06/msg00013.html

reference_id

msg00013.html

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:48:47Z/

url

https://lists.debian.org/debian-lts-announce/2023/06/msg00013.html

reference_url	https://usn.ubuntu.com/6176-1/
reference_id	USN-6176-1
reference_type
scores
url	https://usn.ubuntu.com/6176-1/

fixed_packages

url pkg:pypi/pypdf2@1.27.5

purl pkg:pypi/pypdf2@1.27.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-qpnm-95vw-fbbg

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pypdf2@1.27.5

aliases CVE-2022-24859, GHSA-xcjx-m2pj-8g79, PYSEC-2022-194

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2jvc-j78s-fkg3

url VCID-qpnm-95vw-fbbg

vulnerability_id VCID-qpnm-95vw-fbbg

summary pypdf is a pure-python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. An attacker who uses this vulnerability can craft a PDF which leads to unexpected long runtime. This quadratic runtime blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. This issue has been addressed in PR 808 and versions from 1.27.9 include this fix. Users are advised to upgrade. There are no known workarounds for this vulnerability.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-36810

reference_id

reference_type

scores

value	0.00165
scoring_system	epss
scoring_elements	0.37482
published_at	2026-06-12T12:55:00Z

value	0.00165
scoring_system	epss
scoring_elements	0.37305
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-36810

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36810
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36810

reference_url

https://github.com/py-pdf/pypdf

reference_id

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/py-pdf/pypdf

reference_url

https://github.com/py-pdf/pypdf/commit/c6c56f550bb384e05f0139c796ba1308837d6373

reference_id

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/py-pdf/pypdf/commit/c6c56f550bb384e05f0139c796ba1308837d6373

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-36810

reference_id

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-36810

reference_url

https://github.com/py-pdf/pypdf/issues/582

reference_id

582

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-04T21:19:20Z/

url

https://github.com/py-pdf/pypdf/issues/582

reference_url

https://github.com/py-pdf/pypdf/pull/808

reference_id

808

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-04T21:19:20Z/

url

https://github.com/py-pdf/pypdf/pull/808

reference_url

https://github.com/advisories/GHSA-jrm6-h9cq-8gqw

reference_id

GHSA-jrm6-h9cq-8gqw

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-jrm6-h9cq-8gqw

reference_url

https://github.com/py-pdf/pypdf/security/advisories/GHSA-jrm6-h9cq-8gqw

reference_id

GHSA-jrm6-h9cq-8gqw

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-04T21:19:20Z/

url

https://github.com/py-pdf/pypdf/security/advisories/GHSA-jrm6-h9cq-8gqw

reference_url

https://lists.debian.org/debian-lts-announce/2023/07/msg00019.html

reference_id

msg00019.html

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-04T21:19:20Z/

url

https://lists.debian.org/debian-lts-announce/2023/07/msg00019.html

reference_url	https://usn.ubuntu.com/6280-1/
reference_id	USN-6280-1
reference_type
scores
url	https://usn.ubuntu.com/6280-1/

fixed_packages

url	pkg:pypi/pypdf2@1.27.9
purl	pkg:pypi/pypdf2@1.27.9
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/pypdf2@1.27.9

aliases CVE-2023-36810, GHSA-jrm6-h9cq-8gqw

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qpnm-95vw-fbbg

Fixing_vulnerabilities

Risk_score 3.1

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pypdf2@1.27.0

Package Instance