Miggo Logo
Miggo Vulnerability Database
CVE-2021-27923

CVE-2021-27923: Pillow Denial of Service by Uncontrolled Resource Consumption

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-27923
GHSA ID
GHSA-95q3-8gr9-gm8w
EPSS Score
0.40856%
CWE
CWE-400
Published
3/18/2021
Updated
10/8/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Pillowpip< 8.1.18.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from direct instantiation of image parsers (PngImageFile, JpegImageFile, Jpeg2KImageFile) within container format handlers without invoking Pillow's decompression bomb checks. The GitHub patch adds Image._decompression_bomb_check() calls to these specific locations, confirming these were the missing validation points. The affected functions handle image loading for ICO/ICNS/BLP containers but bypassed the standard safety checks performed by Image.open().

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Pillow ***or* *.*.* *llows *tt**k*rs to **us* * **ni*l o* s*rvi** (m*mory *onsumption) ****us* t** r*port** siz* o* * *ont*in** im*** is not prop*rly ****k** *or *n I*O *ont*in*r, *n* t*us *n *tt*mpt** m*mory *llo**tion **n ** v*ry l*r**.

Reasoning

T** vuln*r**ility st*mm** *rom *ir**t inst*nti*tion o* im*** p*rs*rs (Pn*Im****il*, Jp**Im****il*, Jp***KIm****il*) wit*in *ont*in*r *orm*t **n*l*rs wit*out invokin* Pillow's ***ompr*ssion *om* ****ks. T** *it*u* p*t** ***s Im***._***ompr*ssion_*om*_