PYSEC-2026-2250

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/pillow/PYSEC-2026-2250.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2250
Aliases
Published
2026-04-15T23:16:10.053Z
Modified
2026-07-13T07:26:24.246094941Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). If users are unable to immediately upgrade, they should only open specific image formats, excluding FITS, as a workaround.

References

Affected packages

PyPI / pillow

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10.3.0
Fixed
12.2.0

Affected versions

10.*
10.3.0
10.4.0
11.*
11.0.0
11.1.0
11.2.1
11.3.0
12.*
12.0.0
12.1.0
12.1.1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/pillow/PYSEC-2026-2250.yaml"