CVE-2021-25287: Out-of-bounds Read in Pillow
9.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.4958%
CWE
Published
6/8/2021
Updated
10/9/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
Pillow | pip | >= 2.4.0, < 8.2.0 | 8.2.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The commit diff shows critical changes in j2k_decode_entry where component width calculation was modified. Previously, it used 'components' (hardcoded to 4 for 3-component images), which didn't account for variable component widths. The vulnerability stemmed from improper tile_bytes calculation (tile_width * tile_height * components), which could underallocate buffers. The patch introduces 'total_component_width' that properly sums per-component sizes, confirming this was the vulnerable code path. While the CVE mentions j2ku_graya_la, this appears to be a specific case handled within j2k_decode_entry's general J2K decoding logic.