CVE-2025-48379

High CVSS: 7.1

Pillow is a Python imaging library. In versions 11.2.0 to before 11.3.0, there is a heap buffer overflow when writing a sufficiently large (>64k encoded with default settings) image in the DDS format due to writing into a buffer without checking for available space. This only affects users who save untrusted data as a compressed DDS image. This issue has been patched in version 11.3.0.

Vendor

Python

Product

Pillow

CWE

CWE-122

Yayın Tarihi

2025-07-01 19:15:27

Güncelleme

2025-10-15 20:03:42

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-122 Pillow HIGH Python 2025

Referanslar

https://github.com/python-pillow/Pillow/commit/ef98b3510e3e4f14b547762764813d7e5ca3c5a4 https://github.com/python-pillow/Pillow/pull/9041 https://github.com/python-pillow/Pillow/releases/tag/11.3.0 https://github.com/python-pillow/Pillow/security/advisories/GHSA-xg8h-j46f-w952

Benzer Kayıtlar

Medium

CVE-2026-25645

Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a…

High

CVE-2026-32274

Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is comp…

High

CVE-2026-31900

Black is the uncompromising Python code formatter. Black provides a GitHub action for formatting code. This action suppo…

High

CVE-2026-25990

Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, n out-of-bounds write may be triggered when loading a…

Medium

CVE-2025-12781

When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the…

High

CVE-2026-21441

urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HT…