High severityNVD Advisory· Published Jul 1, 2025· Updated Jul 1, 2025
Pillow Vulnerable to Write Buffer Overflow on BCn encoding
CVE-2025-48379
Description
Pillow is a Python imaging library. In versions 11.2.0 to before 11.3.0, there is a heap buffer overflow when writing a sufficiently large (>64k encoded with default settings) image in the DDS format due to writing into a buffer without checking for available space. This only affects users who save untrusted data as a compressed DDS image. This issue has been patched in version 11.3.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pillowPyPI | >= 11.2.0, < 11.3.0 | 11.3.0 |
Affected products
1- Range: >= 11.2.0, < 11.3.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-xg8h-j46f-w952ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-48379ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2025-61.yamlghsaWEB
- github.com/python-pillow/Pillow/commit/ef98b3510e3e4f14b547762764813d7e5ca3c5a4ghsax_refsource_MISCWEB
- github.com/python-pillow/Pillow/pull/9041ghsax_refsource_MISCWEB
- github.com/python-pillow/Pillow/releases/tag/11.3.0ghsax_refsource_MISCWEB
- github.com/python-pillow/Pillow/security/advisories/GHSA-xg8h-j46f-w952ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.