Suggestions search

Untriaged

Filter by:

With package: python314Packages.pillow

Found 2 matching suggestions

View:

Compact

Detailed

Permalink CVE-2026-40192

created 1 week ago Activity log

Created suggestion 1 week ago

Pillow is vulnerable to a FITS GZIP decompression bomb

Pillow is a Python imaging library. Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation). If users are unable to immediately upgrade, they should only open specific image formats, excluding FITS, as a workaround.

References

https://github.com/python-pillow/Pillow/security/advisories/GHSA-whj4-6x5x-4v2j x_refsource_CONFIRM
https://github.com/python-pillow/Pillow/pull/9521 x_refsource_MISC
https://github.com/python-pillow/Pillow/commit/3cb854e8b2bab43f40e342e665f9340d861aa628 x_refsource_MISC
https://pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html#prevent-fits-decompression-bomb x_refsource_MISC

Affected products

Pillow

==>= 10.3.0, < 12.2.0

Matching in nixpkgs

pkgs.python312Packages.pillow

Friendly PIL fork (Python Imaging Library)

nixos-25.11 12.1.1
- nixos-25.11-small 12.1.1
- nixpkgs-25.11-darwin 12.1.1

pkgs.python313Packages.pillow

Friendly PIL fork (Python Imaging Library)

nixos-unstable 12.1.1
- nixpkgs-unstable 12.1.1
- nixos-unstable-small 12.1.1
nixos-25.11 12.1.1
- nixos-25.11-small 12.1.1
- nixpkgs-25.11-darwin 12.1.1

pkgs.python314Packages.pillow

Friendly PIL fork (Python Imaging Library)

nixos-unstable 12.1.1
- nixpkgs-unstable 12.1.1
- nixos-unstable-small 12.1.1

pkgs.python312Packages.pillow-heif

Python library for working with HEIF images and plugin for Pillow

nixos-25.11 1.1.0
- nixos-25.11-small 1.1.0
- nixpkgs-25.11-darwin 1.1.0

pkgs.python312Packages.pillow-jpls

JPEG-LS plugin for the Python Pillow library

nixos-25.11 1.3.2
- nixos-25.11-small 1.3.2
- nixpkgs-25.11-darwin 1.3.2

pkgs.python312Packages.pillowfight

Eases the transition from PIL to Pillow for Python packages

nixos-25.11 0.4
- nixos-25.11-small 0.4
- nixpkgs-25.11-darwin 0.4

pkgs.python313Packages.pillow-heif

Python library for working with HEIF images and plugin for Pillow

nixos-unstable 1.2.0
- nixpkgs-unstable 1.2.0
- nixos-unstable-small 1.2.0
nixos-25.11 1.1.0
- nixos-25.11-small 1.1.0
- nixpkgs-25.11-darwin 1.1.0

pkgs.python313Packages.pillow-jpls

JPEG-LS plugin for the Python Pillow library

nixos-unstable 1.3.2
- nixpkgs-unstable 1.3.2
- nixos-unstable-small 1.3.2
nixos-25.11 1.3.2
- nixos-25.11-small 1.3.2
- nixpkgs-25.11-darwin 1.3.2

pkgs.python313Packages.pillowfight

Eases the transition from PIL to Pillow for Python packages

nixos-unstable 0.4
- nixpkgs-unstable 0.4
- nixos-unstable-small 0.4
nixos-25.11 0.4
- nixos-25.11-small 0.4
- nixpkgs-25.11-darwin 0.4

pkgs.python314Packages.pillow-heif

Python library for working with HEIF images and plugin for Pillow

nixos-unstable 1.2.0
- nixpkgs-unstable 1.2.0
- nixos-unstable-small 1.2.0

pkgs.python314Packages.pillow-jpls

JPEG-LS plugin for the Python Pillow library

nixos-unstable 1.3.2
- nixpkgs-unstable 1.3.2
- nixos-unstable-small 1.3.2

pkgs.python314Packages.pillowfight

Eases the transition from PIL to Pillow for Python packages

nixos-unstable 0.4
- nixpkgs-unstable 0.4
- nixos-unstable-small 0.4

pkgs.python312Packages.types-pillow

Typing stubs for Pillow

nixos-25.11 10.2.0.20240822
- nixos-25.11-small 10.2.0.20240822
- nixpkgs-25.11-darwin 10.2.0.20240822

pkgs.python313Packages.types-pillow

Typing stubs for Pillow

nixos-unstable 10.2.0.20240822
- nixpkgs-unstable 10.2.0.20240822
- nixos-unstable-small 10.2.0.20240822
nixos-25.11 10.2.0.20240822
- nixos-25.11-small 10.2.0.20240822
- nixpkgs-25.11-darwin 10.2.0.20240822

pkgs.python314Packages.types-pillow

Typing stubs for Pillow

nixos-unstable 10.2.0.20240822
- nixpkgs-unstable 10.2.0.20240822
- nixos-unstable-small 10.2.0.20240822

pkgs.python312Packages.pypillowfight

Library containing various image processing algorithms

nixos-25.11 0.3.1
- nixos-25.11-small 0.3.1
- nixpkgs-25.11-darwin 0.3.1

pkgs.python313Packages.pypillowfight

Library containing various image processing algorithms

nixos-unstable 0.3.1
- nixpkgs-unstable 0.3.1
- nixos-unstable-small 0.3.1
nixos-25.11 0.3.1
- nixos-25.11-small 0.3.1
- nixpkgs-25.11-darwin 0.3.1

pkgs.python314Packages.pypillowfight

Library containing various image processing algorithms

nixos-unstable 0.3.1
- nixpkgs-unstable 0.3.1
- nixos-unstable-small 0.3.1

pkgs.python312Packages.pillow-avif-plugin

Pillow plugin that adds support for AVIF files

nixos-25.11 1.5.2
- nixos-25.11-small 1.5.2
- nixpkgs-25.11-darwin 1.5.2

pkgs.python313Packages.pillow-avif-plugin

Pillow plugin that adds support for AVIF files

nixos-25.11 1.5.2
- nixos-25.11-small 1.5.2
- nixpkgs-25.11-darwin 1.5.2

Package maintainers

@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
@D4ndellion Daniel Olsen <daniel@dodsorf.as>
@kuflierl Kennet Flierl <kuflierl@gmail.com>
@bcdarwin Ben Darwin <bcdarwin@gmail.com>
@pyrox0 Pyrox <pyrox@pyrox.dev>
@arjan-s Arjan Schrijver <github@anymore.nl>
@RatCornu Balthazar Patiachvili <ratcornu+programmation@skaven.org>

Permalink CVE-2026-25990

created 2 months, 1 week ago Activity log

Created suggestion 2 months, 1 week ago

Pillow has an out-of-bounds write when loading PSD images

Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, n out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1.