Regular Expression Denial of Service (ReDoS)
Description
The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Pillow versions 5.2.0 through 8.3.2 are vulnerable to regular expression denial of service (ReDoS) via the getrgb function.
Vulnerability
The getrgb function in Pillow (Python Imaging Library) is vulnerable to Regular Expression Denial of Service (ReDoS) due to a poorly crafted regular expression that can cause catastrophic backtracking when processing certain color strings. Affected versions are Pillow 5.2.0 up to but not including 8.3.2 [1][2].
Exploitation
An attacker can trigger the ReDoS by providing a specially crafted input string to the getrgb function, such as a long string with specific patterns that cause the regular expression engine to exhibit exponential behavior. No special privileges or network position is required beyond the ability to supply input to the vulnerable function [3].
Impact
Successful exploitation leads to denial of service (DoS) by causing the application to become unresponsive or crash due to excessive CPU consumption. The confidentiality and integrity of data are not compromised [3].
Mitigation
Upgrade to Pillow version 8.3.2 or later, which includes a fix in commit 9e08eb8f78fdfd2f476e1b20b7cf38683754866b [1][4]. No workarounds are available for earlier versions.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pillowPyPI | >= 5.2.0, < 8.3.2 | 8.3.2 |
Affected products
10- Pillow/pillowdescription
- osv-coords9 versionspkg:bitnami/pillowpkg:pypi/pillowpkg:rpm/opensuse/python-Pillow&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/python-Pillow&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/python-Pillow&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
>= 5.2.0, < 8.3.2+ 8 more
- (no CPE)range: >= 5.2.0, < 8.3.2
- (no CPE)range: >= 5.2.0, < 8.3.2
- (no CPE)range: < 7.2.0-150300.3.15.1
- (no CPE)range: < 4.2.1-3.20.2
- (no CPE)range: < 7.2.0-150300.3.15.1
- (no CPE)range: < 4.2.1-3.20.2
- (no CPE)range: < 5.2.0-3.14.1
- (no CPE)range: < 4.2.1-3.20.2
- (no CPE)range: < 5.2.0-3.14.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
14- github.com/advisories/GHSA-98vv-pw6r-q6q4ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RNSG6VFXTAROGF7ACYLMAZNQV4EJ6I2C/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VKRCL7KKAKOXCVD7M6WC5OKFGL4L3SJT/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2021-23437ghsaADVISORY
- security.gentoo.org/glsa/202211-10ghsavendor-advisoryWEB
- github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-317.yamlghsaWEB
- github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866bghsaWEB
- lists.debian.org/debian-lts-announce/2024/03/msg00021.htmlghsamailing-listWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RNSG6VFXTAROGF7ACYLMAZNQV4EJ6I2CghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VKRCL7KKAKOXCVD7M6WC5OKFGL4L3SJTghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RNSG6VFXTAROGF7ACYLMAZNQV4EJ6I2CghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VKRCL7KKAKOXCVD7M6WC5OKFGL4L3SJTghsaWEB
- pillow.readthedocs.io/en/stable/releasenotes/8.3.2.htmlghsaWEB
- snyk.io/vuln/SNYK-PYTHON-PILLOW-1319443ghsaWEB
News mentions
0No linked articles in our index yet.