VDB
KO
HIGH 7.5

PYSEC-2026-2250

Details

Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). If users are unable to immediately upgrade, they should only open specific image formats, excluding FITS, as a workaround.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / pillow
Introduced in: 10.3.0 Fixed in: 12.2.0
Fix pip install --upgrade 'pillow>=12.2.0'

References