GHSA-jgpv-4h4c-xhw3
Denial of Service vulnerability in pillow (PyPI)

Denial of Service No known exploit

What is GHSA-jgpv-4h4c-xhw3 About?

This is a Denial of Service vulnerability in Pillow before 8.1.1, also impacting versions before 6.2.0, due to improper size checks when processing BLP container images. Attackers can provide a crafted BLP file that leads to very large memory allocations or excessive processing times. Exploitation is relatively easy with a specially crafted file.

Affected Software

pillow <8.1.2

Technical Details

The vulnerability is a Denial of Service in Pillow, affecting versions prior to 8.1.1 and specifically mentioned in the context of versions before 6.2.0. When Pillow attempts to read and process BLP (Blizzard Entertainment's internal image format) container files, it fails to properly validate the reported image dimensions or internal data sizes within the file. An attacker can submit a specially crafted BLP file that either claims an exorbitantly large image size, leading to an attempted allocation of a vast amount of memory (memory exhaustion), or contains invalid structures that cause the parsing routines to enter extremely long processing loops. Both scenarios result in a denial of service for the application or system using Pillow.

What is the Impact of GHSA-jgpv-4h4c-xhw3?

Successful exploitation may allow attackers to disrupt the availability of the affected system or application, leading to a denial of service by exhausting system memory, consuming excessive CPU cycles, or crashing the application.

What is the Exploitability of GHSA-jgpv-4h4c-xhw3?

Exploitation of this vulnerability involves providing a malformed BLP image file. The complexity is low to medium, requiring specific knowledge of the BLP file format to craft an image that triggers the oversized memory allocation or processing loop. No specific authentication or privilege is required beyond the ability to submit a BLP file to the target application. This would typically be a remote exploitation vector if the application processes user-uploaded image files, or local if a malicious process directly interacts with the library. The primary prerequisite is the ability to furnish a specially constructed BLP image for processing.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for GHSA-jgpv-4h4c-xhw3?

Available Upgrade Options

  • pillow
    • <8.1.2 → Upgrade to 8.1.2

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to GHSA-jgpv-4h4c-xhw3?

Similar Vulnerabilities: CVE-2021-27923 , CVE-2021-28678 , CVE-2021-25291 , CVE-2022-22816 , CVE-2020-11538

All Rights reserved 2025
Privacy Policy