GHSA-4fx9-vc88-q2xc
Denial of Service vulnerability in pillow (PyPI)
What is GHSA-4fx9-vc88-q2xc About?
This vulnerability in Pillow's JpegImagePlugin can cause an infinite loop and lead to a denial of service when processing truncated JPEG files. The flaw occurs if an EOF marker is appended but not correctly detected, causing continuous processing. Exploitation is relatively easy by providing a specifically truncated JPEG file.
Affected Software
Technical Details
The vulnerability lies within Pillow's JpegImagePlugin component when attempting to process truncated JPEG files. If an attacker crafts a JPEG file that is truncated (incomplete) but has an EOF (End Of File) marker appended in such a way that the marker is not properly recognized or processed as a true end-of-file condition, the JpegImagePlugin can enter an infinite loop. The decoder will continuously attempt to process what it believes is still part of the image data, never reaching a valid termination point. This continuous processing consumes CPU resources indefinitely, leading to a denial of service for the application or system attempting to decode the malicious JPEG file.
What is the Impact of GHSA-4fx9-vc88-q2xc?
Successful exploitation may allow attackers to cause application unresponsiveness or crashes, leading to a denial of service for the target system.
What is the Exploitability of GHSA-4fx9-vc88-q2xc?
Exploitation typically involves a low level of complexity, requiring the attacker to provide a specially crafted truncated JPEG file with a particular EOF marker. No authentication or specific privileges are needed. The vulnerability can be exploited remotely if the target application processes user-supplied JPEG images, such as through upload facilities or image display features. The main prerequisite is that the Pillow library's JpegImagePlugin decodes the malicious file. Risks are higher for applications that handle untrusted JPEG image uploads or conversions without robust image validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for GHSA-4fx9-vc88-q2xc?
About the Fix from Resolved Security
Available Upgrade Options
- pillow
- <9.0.0 → Upgrade to 9.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#ensure-jpegimageplugin-stops-at-the-end-of-a-truncated-file
- https://github.com/python-pillow/Pillow
- https://osv.dev/vulnerability/GHSA-4fx9-vc88-q2xc
- https://github.com/python-pillow/Pillow/commit/baae9ec4b67c68e3adaf1208cf54e8de5e38a6fd
What are Similar Vulnerabilities to GHSA-4fx9-vc88-q2xc?
Similar Vulnerabilities: CVE-2021-27922 , CVE-2020-35655 , CVE-2022-45198 , CVE-2022-29217 , CVE-2020-8199
