Skip to content

pillow-11.2.1-cp310-cp310-macosx_10_10_x86_64.whl: 1 vulnerabilities (highest severity is: 7.1) #113

New issue
New issue
Open
#115
Open
pillow-11.2.1-cp310-cp310-macosx_10_10_x86_64.whl: 1 vulnerabilities (highest severity is: 7.1)#113
#115
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by WhiteSource
@mend-for-github-com

Description

@mend-for-github-com
mend-for-github-com
bot
opened on Jul 2, 2025
Vulnerable Library - pillow-11.2.1-cp310-cp310-macosx_10_10_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/0d/8b/b158ad57ed44d3cc54db8d68ad7c0a58b8fc0e4c7a3f995f9d62d5b464a1/pillow-11.2.1-cp310-cp310-macosx_10_10_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /tmp/ws-ua_20250423134520_RSTRUL/python_EXEDNB/20250423134523/pillow-11.2.1-cp39-cp39-manylinux_2_28_x86_64.whl

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (pillow version) Remediation Possible**
CVE-2025-48379 High 7.1 pillow-11.2.1-cp310-cp310-macosx_10_10_x86_64.whl Direct 11.3.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-48379

Vulnerable Library - pillow-11.2.1-cp310-cp310-macosx_10_10_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/0d/8b/b158ad57ed44d3cc54db8d68ad7c0a58b8fc0e4c7a3f995f9d62d5b464a1/pillow-11.2.1-cp310-cp310-macosx_10_10_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /tmp/ws-ua_20250423134520_RSTRUL/python_EXEDNB/20250423134523/pillow-11.2.1-cp39-cp39-manylinux_2_28_x86_64.whl

Dependency Hierarchy:

  • pillow-11.2.1-cp310-cp310-macosx_10_10_x86_64.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Pillow is a Python imaging library. In versions 11.2.0 to before 11.3.0, there is a heap buffer overflow when writing a sufficiently large (>64k encoded with default settings) image in the DDS format due to writing into a buffer without checking for available space. This only affects users who save untrusted data as a compressed DDS image. This issue has been patched in version 11.3.0.

Publish Date: 2025-07-01

URL: CVE-2025-48379

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xg8h-j46f-w952

Release Date: 2025-07-01

Fix Resolution: 11.3.0

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by WhiteSource

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions