Primary

Context

Pillow GZIP Decompression Bomb Vulnerability in FITS Image Processing

Vulnerability

Patched

A denial-of-service vulnerability has been identified in the Python imaging library Pillow, specifically in versions 10.3.0 prior to 12.2.0. The issue arises from the library's FITS image decoder, which did not restrict the amount of GZIP-compressed data read. This oversight made it possible for a specially crafted FITS file to cause unlimited memory consumption, leading to out-of-memory crashes or significant performance issues.

Impact

Exploitation of this vulnerability could result in unbounded memory usage, causing out-of-memory crashes or severe performance degradation.

Remediation

Users can upgrade to Pillow version 12.2.0 or later to address this vulnerability. If an immediate upgrade is not possible, it is recommended to avoid opening FITS files and to restrict image processing to other formats.

Added: Apr 15, 2026, 11:21 PM

Updated: Apr 15, 2026, 11:21 PM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

4.9

remediation

7.9

relevance

6.0

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

4.9

remediation

7.9

relevance

6.0

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Pillow GZIP Decompression Bomb Vulnerability in FITS Image Processing

Vulnerability

Impact

Remediation

Affected Products

python-pillow

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating