-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| pillow | pip | < 9.2.0 | 9.2.0 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from improper handling of GIF frame extents during decompression. The GitHub commit 11918eac0628ec8ac0812670d9838361ead2d6a4 (from PR #6402) adds a critical Image._decompression_bomb_check call in GifImagePlugin's _seek method when updating image dimensions. This indicates the vulnerable code path was in frame processing where logical screen dimensions could be expanded beyond safe limits without validation. The test case added in Tests/test_decompression_bomb.py specifically checks for extents-based bombs, and the fix location in GifImagePlugin.py confirms the vulnerable function.