CVE-2021-25289
Description
An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Heap-buffer overflow in Pillow's TiffDecode when processing crafted YCbCr files due to interpretation conflicts with LibTIFF in RGBA mode.
Vulnerability
Overview
CVE-2021-25289 is a heap-based buffer overflow vulnerability in the TiffDecode function of Pillow (Python Imaging Library fork) prior to version 8.1.1. The issue arises when decoding crafted YCbCr TIFF files because of certain interpretation conflicts with LibTIFF in RGBA mode [1]. Notably, this vulnerability exists because of an incomplete fix for CVE-2020-35654, indicating that the earlier patch did not fully address the underlying problem [2].
Exploitation and
Attack Surface
An attacker can exploit this vulnerability by supplying a specially crafted YCbCr TIFF file to an application that uses an affected version of Pillow to decode the image. No special privileges are required beyond the ability to provide a malicious image file for processing. The heap-based overflow occurs during the decoding process, which means the application does not need to save or display the image in a specific way—merely opening the file can trigger the bug [3].
Impact
Successful exploitation of this heap-based buffer overflow could allow an attacker to corrupt memory, potentially leading to application crashes or arbitrary code execution in the context of the process running Pillow. The severity is elevated because image processing is often performed on untrusted user input (e.g., uploaded images in web applications), making this a remotely triggerable vulnerability [1][2].
Mitigation
Status
Users of Pillow should upgrade to version 8.1.1 or later, which contains the fix for this vulnerability [4]. The Python Package Index (PyPI) advisory database has also listed this vulnerability, urging users to update promptly [3]. There is no workaround other than patching, as the flaw resides in the core decoding logic.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pillowPyPI | < 8.1.1 | 8.1.1 |
Affected products
8- Pillow/Pillowdescription
- osv-coords7 versionspkg:bitnami/pillowpkg:pypi/pillowpkg:rpm/opensuse/python-CairoSVG&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/python-Pillow&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/python-Pillow&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/python-Pillow&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-Pillow&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
< 8.1.1+ 6 more
- (no CPE)range: < 8.1.1
- (no CPE)range: < 8.1.1
- (no CPE)range: < 2.5.1-lp152.2.3.1
- (no CPE)range: < 8.3.1-lp152.5.3.1
- (no CPE)range: < 7.2.0-150300.3.15.1
- (no CPE)range: < 8.3.2-1.2
- (no CPE)range: < 7.2.0-150300.3.15.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-57h3-9rgr-c24mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-25289ghsaADVISORY
- security.gentoo.org/glsa/202107-33ghsavendor-advisoryx_refsource_GENTOOWEB
- github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-35.yamlghsaWEB
- github.com/python-pillow/Pillow/commit/3fee28eb9479bf7d59e0fa08068f9cc4a6e2f04cghsaWEB
- github.com/python-pillow/Pillow/commit/cbfdde7b1f2295059a20a539ee9960f0bec7b299ghsaWEB
- pillow.readthedocs.io/en/stable/releasenotes/8.1.1.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.