CVE-2021-25292
Regular Expression Denial of Service (ReDoS) vulnerability in pillow (PyPI)
What is CVE-2021-25292 About?
This is a Regular Expression Denial of Service (ReDoS) vulnerability in Pillow before 8.1.1, affecting its PDF parser. It can be triggered by a crafted PDF file containing a regular expression that causes catastrophic backtracking. This leads to excessive resource consumption and a denial of service, and is relatively easy to exploit with a malicious file.
Affected Software
- pillow
- <8.1.1
- >=5.1.0, <8.1.1
Technical Details
The vulnerability is a Regular Expression Denial of Service (ReDoS) affecting the PDF parser in Pillow, specifically versions before 8.1.1. When parsing a PDF file, the library utilizes regular expressions to process certain elements or patterns within the PDF structure. An attacker can embed a specially crafted regular expression or sequence of characters in a PDF file that, when processed by the vulnerable regex engine, triggers catastrophic backtracking. This causes the regex matching algorithm to consume an exponential amount of CPU time, rendering the application unresponsive and leading to a denial of service.
What is the Impact of CVE-2021-25292?
Successful exploitation may allow attackers to disrupt the availability of the affected system or application, leading to a denial of service where the system becomes unresponsive or crashes.
What is the Exploitability of CVE-2021-25292?
Exploitation of this ReDoS vulnerability involves creating and providing a malformed PDF file containing the specific pattern that triggers catastrophic backtracking in Pillow's PDF parser. The complexity is low to medium. There are no explicit authentication or privilege requirements; any user able to provide a PDF file for processing by the application using Pillow can exploit this. This would typically be a remote attack if the application processes user-uploaded PDF documents or local if a malicious program directly interacts with the library. The main prerequisite is the ability to submit a specially crafted PDF file.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-25292?
About the Fix from Resolved Security
Available Upgrade Options
- pillow
- >=5.1.0, <8.1.1 → Upgrade to 8.1.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/PYSEC-2021-38
- https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
- https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
- https://github.com/python-pillow/Pillow/commit/6207b44ab1ff4a91d8ddc7579619876d0bb191a4
- https://github.com/advisories/GHSA-9hx2-hgq2-2g4f
- https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-38.yaml
- https://github.com/python-pillow/Pillow
- https://security.gentoo.org/glsa/202107-33
- https://github.com/python-pillow/Pillow/commit/3bce145966374dd39ce58a6fc0083f8d1890719c
- https://nvd.nist.gov/vuln/detail/CVE-2021-25292
What are Similar Vulnerabilities to CVE-2021-25292?
Similar Vulnerabilities: CVE-2020-29651 , CVE-2021-29063 , CVE-2021-23437 , CVE-2022-24706 , CVE-2021-4122
