CVE-2021-28677
Description
An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Pillow before 8.2.0 uses a quadratic readline in EPSImageFile, allowing a malicious EPS file to cause a denial of service during the open phase.
Vulnerability
The vulnerability resides in Pillow's EPSImageFile readline implementation, which must handle any combination of \r and \n as line endings. The code accidentally used a quadratic method of accumulating lines while searching for a line ending, leading to excessive CPU consumption. This issue affects all Pillow versions before 8.2.0 and dates back to the PIL fork [1][4].
Exploitation
An attacker can exploit this by providing a specially crafted EPS file containing many lines that trigger the quadratic accumulation behavior. No authentication or special privileges are required; the file is processed during the open() phase of Pillow, before the image is accepted for opening. The denial of service occurs immediately upon opening the malicious file [1][2].
Impact
Successful exploitation results in a denial of service (DoS) condition. The open() call consumes an excessive amount of CPU time, potentially causing the application to hang or crash. There is no impact on confidentiality or integrity of data [1][2].
Mitigation
The vulnerability is fixed in Pillow version 8.2.0, released on 2021-04-01. Users should upgrade to 8.2.0 or later. No workaround is available for earlier versions [1][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pillowPyPI | < 8.2.0 | 8.2.0 |
Affected products
11- Pillow/Pillowdescription
- osv-coords10 versionspkg:bitnami/pillowpkg:pypi/pillowpkg:rpm/almalinux/python3-pillowpkg:rpm/opensuse/python-Pillow&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/python-Pillow&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 8.2.0+ 9 more
- (no CPE)range: < 8.2.0
- (no CPE)range: < 8.2.0
- (no CPE)range: < 5.1.1-16.el8
- (no CPE)range: < 7.2.0-150300.3.12.1
- (no CPE)range: < 4.2.1-3.14.1
- (no CPE)range: < 2.8.1-4.22.1
- (no CPE)range: < 4.2.1-3.14.1
- (no CPE)range: < 5.2.0-3.8.1
- (no CPE)range: < 4.2.1-3.14.1
- (no CPE)range: < 5.2.0-3.8.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-q5hq-fp76-qmrcghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2021-28677ghsaADVISORY
- security.gentoo.org/glsa/202107-33ghsavendor-advisoryx_refsource_GENTOOWEB
- github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-93.yamlghsaWEB
- github.com/python-pillow/Pillow/commit/5a5e6db0abf4e7a638fb1b3408c4e495a096cb92ghsaWEB
- github.com/python-pillow/Pillow/pull/5377ghsax_refsource_MISCWEB
- lists.debian.org/debian-lts-announce/2021/07/msg00018.htmlghsamailing-listx_refsource_MLISTWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FLghsaWEB
- pillow.readthedocs.io/en/stable/releasenotes/8.2.0.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.