chore(deps): update dependency pillow to v12.2.0 [security]#63
Open
renovate[bot] wants to merge 1 commit into
Open
chore(deps): update dependency pillow to v12.2.0 [security]#63renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
Dependency ReviewThe following issues were found:
Snapshot WarningsEnsure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice. License Issuespoetry.lock
OpenSSF Scorecard
Scanned Files
|
Coverage report
This PR does not seem to contain any modification to coverable code. |
Test Results (Python 3.14)183 tests ±0 169 ✅ - 14 19s ⏱️ -1s For more details on these failures, see this check. Results for commit 5617534. ± Comparison against base commit b1fd94d. ♻️ This comment has been updated with latest results. |
Combined Test Results 5 files ±0 5 suites ±0 1m 21s ⏱️ +9s For more details on these failures, see this check. Results for commit 5617534. ± Comparison against base commit b1fd94d. ♻️ This comment has been updated with latest results. |
renovate
Bot
changed the title
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/pypi-pillow-vulnerability
branch
2 times, most recently
from
644cfbb to
656f566
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/pypi-pillow-vulnerability
branch
from
656f566 to
5617534
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
12.1.0→12.2.0Pillow affected by out-of-bounds write when loading PSD images
CVE-2026-25990 / GHSA-cfh3-3jmp-rvhc
More information
Details
Impact
An out-of-bounds write may be triggered when loading a specially crafted PSD image. Pillow >= 10.3.0 users are affected.
Patches
Pillow 12.1.1 will be released shortly with a fix for this.
Workarounds
Image.open()has aformatsparameter that can be used to prevent PSD images from being opened.References
Pillow 12.1.1 will add release notes at https://pillow.readthedocs.io/en/stable/releasenotes/index.html
Severity
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
FITS GZIP decompression bomb in Pillow
CVE-2026-40192 / GHSA-whj4-6x5x-4v2j
More information
Details
Impact
Pillow did not limit the amount of GZIP-compressed data read when decoding a FITS image, making it vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation).
Patches
The amount of data read is now limited to the necessary amount.
Fixed in Pillow 12.2.0 (PR #9521).
Workarounds
Avoid Pillow >= 10.3.0, < 12.2.0
Only open specific image formats, excluding FITS.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Pillow has a heap buffer overflow with nested list coordinates
CVE-2026-42309 / GHSA-5xmw-vc9v-4wf2
More information
Details
Passing nested lists as coordinates to APIs that accept coordinates such as
ImagePath.Path,ImageDraw.ImageDraw.polygonandImageDraw.ImageDraw.linecould cause a heap buffer overflow, as nested lists were recursively unpacked beyond the allocated buffer. Coordinate lists are now validated to contain exactly two numeric coordinates. This was introduced in Pillow 11.2.1.Severity
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Pillow has an OOB Write with Invalid PSD Tile Extents (Integer Overflow)
CVE-2026-42311 / GHSA-pwv6-vv43-88gr
More information
Details
Impact
Processing a malicious PSD file could lead to memory corruption, potentially resulting in a crash or arbitrary code execution.
Patches
Patched version: 12.2.0
Pillow 12.1.1 addressed CVE-2026-25990 by adding checks for tile extents in PSD image decoding/encoding to prevent an out-of-bounds write. However, the bounds checks computed tile extent sums using types susceptible to integer overflow, meaning a PSD image with carefully chosen tile dimensions could produce values that wrap around and bypass the checks, still triggering an out-of-bounds write in src/decode.c and src/encode.c. The fix avoids adding extents together before comparison.
Workarounds
Use any version but affected versions: >= 10.3.0, < 12.2.0
Resources
Severity
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Pillow has an integer overflow when processing fonts
CVE-2026-42308 / GHSA-wjx4-4jcj-g98j
More information
Details
If a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This has been fixed.
Severity
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Pillow has a PDF Parsing Trailer Infinite Loop (DoS)
CVE-2026-42310 / GHSA-r73j-pqj5-w3x7
More information
Details
Impact
An attacker can supply a malicious PDF that causes the process to hang indefinitely, consuming 100% CPU and making the application unresponsive.
Patches
Patched version: 12.2.0.
PdfParser (introduced in Pillow 4.2.0) follows Prev pointers in PDF trailers to read cross-reference sections. If a
trailer's Prev pointer references an offset that has already been processed — either pointing to itself or forming a
longer cycle — the parser enters an infinite loop. Pillow now tracks previously processed trailer offsets and raises an
error if a cycle is detected.
Workarounds
Use any version but the affected versions: >= 4.2.0, < 12.2.0
Resources
Severity
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
python-pillow/Pillow (Pillow)
v12.2.0Compare Source
https://pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html
Documentation
Dependencies
Testing
macos-15-inteltomacos-26-intel#9454 [@hugovk]Other changes
_getxyrefcount leaks #9487 [@hugovk]setimage()by always passing extents #9395 [@radarhere]self.decodetypo #9445 [@bysiber]v12.1.1Compare Source
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.