CVE-2022-45198

Vulnerability

Description

CVE-2022-45198 is a data amplification vulnerability in Pillow, the Python Imaging Library, affecting versions prior to 9.2.0. The issue stems from improper handling of highly compressed GIF data, a classic decompression bomb scenario (CWE-409) [1]. When a specially crafted GIF file with an extremely high compression ratio is processed, the library expands the compressed data into a disproportionately large output, consuming excessive memory and CPU resources.

Exploitation

An attacker can exploit this vulnerability by providing a small, maliciously crafted GIF image to an application that uses Pillow to decode it. No authentication or special network position is required; the attack can be delivered via any vector that allows the attacker to supply an image file (e.g., file upload, email attachment, or web content). The GIF's compression ratio is chosen so that the decompressed data far exceeds the input size, triggering uncontrolled memory allocation [2].

Impact

Successful exploitation leads to a denial of service (DoS) condition. The application may become unresponsive, crash, or exhaust available system memory, potentially affecting other processes on the same host. This vulnerability does not allow code execution or data exfiltration, but it can disrupt service availability [3].

Mitigation

The issue is fixed in Pillow version 9.2.0, which introduces a decompression bomb check for GIF images [2][4]. Users should upgrade to Pillow 9.2.0 or later. No workarounds are documented; however, limiting the size of uploaded images or using a proxy to validate image dimensions may reduce risk. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog.