HIGH
GHSA-cfh3-3jmp-rvhc
Pillow affected by out-of-bounds write when loading PSD images
Details
### Impact An out-of-bounds write may be triggered when loading a specially crafted PSD image. Pillow >= 10.3.0 users are affected.
### Patches Pillow 12.1.1 will be released shortly with a fix for this.
### Workarounds `Image.open()` has a `formats` parameter that can be used to prevent PSD images from being opened.
### References Pillow 12.1.1 will add release notes at https://pillow.readthedocs.io/en/stable/releasenotes/index.html
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/python-pillow/Pillow/security/advisories/GHSA-cfh3-3jmp-rvhc [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-25990 [ADVISORY]
- https://github.com/python-pillow/Pillow/pull/9427 [WEB]
- https://github.com/python-pillow/Pillow/commit/54ba4db542ad3c7b918812a4e2d69c27735a3199 [WEB]
- https://github.com/python-pillow/Pillow/commit/9000313cc5d4a31bdcdd6d7f0781101abab553aa [WEB]
- https://github.com/python-pillow/Pillow [PACKAGE]
- https://pillow.readthedocs.io/en/stable/releasenotes/12.1.1.html [WEB]