global-attribution-mapping icon indicating copy to clipboard operation
global-attribution-mapping copied to clipboard

Published 20 hours ago verified publisher icon capitalone

pillow-11.2.1-cp310-cp310-macosx_10_10_x86_64.whl: 1 vulnerabilities (highest severity is: 7.1)

Open mend-for-github-com[bot] opened this issue 5 months ago • 0 comments

Vulnerable Library - pillow-11.2.1-cp310-cp310-macosx_10_10_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/0d/8b/b158ad57ed44d3cc54db8d68ad7c0a58b8fc0e4c7a3f995f9d62d5b464a1/pillow-11.2.1-cp310-cp310-macosx_10_10_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /tmp/ws-ua_20250423134520_RSTRUL/python_EXEDNB/20250423134523/pillow-11.2.1-cp39-cp39-manylinux_2_28_x86_64.whl

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (pillow version) Remediation Possible**
CVE-2025-48379 High 7.1 pillow-11.2.1-cp310-cp310-macosx_10_10_x86_64.whl Direct 11.3.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-48379

Vulnerable Library - pillow-11.2.1-cp310-cp310-macosx_10_10_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/0d/8b/b158ad57ed44d3cc54db8d68ad7c0a58b8fc0e4c7a3f995f9d62d5b464a1/pillow-11.2.1-cp310-cp310-macosx_10_10_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /tmp/ws-ua_20250423134520_RSTRUL/python_EXEDNB/20250423134523/pillow-11.2.1-cp39-cp39-manylinux_2_28_x86_64.whl

Dependency Hierarchy:

  • :x: pillow-11.2.1-cp310-cp310-macosx_10_10_x86_64.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Pillow is a Python imaging library. In versions 11.2.0 to before 11.3.0, there is a heap buffer overflow when writing a sufficiently large (>64k encoded with default settings) image in the DDS format due to writing into a buffer without checking for available space. This only affects users who save untrusted data as a compressed DDS image. This issue has been patched in version 11.3.0.

Publish Date: 2025-07-01

URL: CVE-2025-48379

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-07-01

Fix Resolution: 11.3.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.

mend-for-github-com[bot] avatar Jul 02 '25 12:07 mend-for-github-com[bot]