7.1

CVSS Score

Basic Information

CVE ID

CVE-2025-48379

GHSA ID

GHSA-xg8h-j46f-w952

EPSS Score

CWE

CWE-122

Published

7/1/2025

Updated

7/1/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-48379

CVE-2025-48379:
Pillow vulnerability can cause write buffer overflow on BCn encoding

There is a heap buffer overflow when writing a sufficiently large (>64k encoded with default settings) image in the DDS format due to writing into a buffer without checking for available space.

This only affects users who save untrusted data as a compressed DDS image.

Unclear how large the potential write could be. It is likely limited by process segfault, so it's not necessarily deterministic. It may be practically unbounded.
Unclear if there's a restriction on the bytes that could be emitted. It's likely that the only restriction is that the bytes would be emitted in chunks of 8 or 16.

This was introduced in Pillow 11.2.0 when the feature was added.

(GitHub Advisory)

7.1

CVSS Score

Basic Information

CVE ID

CVE-2025-48379

GHSA ID

GHSA-xg8h-j46f-w952

EPSS Score

CWE

CWE-122

Published

7/1/2025

Updated

7/1/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
pillow	pip	>= 11.2.0, < 11.3.0	11.3.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability described is a heap buffer overflow in the DDS image format encoder in the Pillow library. The analysis of the provided pull request, specifically commit 466d228135cc645b881118b45aa11c868b192f48 and 8cd86b63626259d70b50545fabb554924ed3bd8a, points directly to the ImagingBcnEncode function in src/libImaging/BcnEncode.c. The patches introduce a bounds check within a loop in this function. The absence of this check in the vulnerable versions is the root cause of the buffer overflow. When a large image is being saved in DDS format, this function is called to encode the image data. The loop processes the image data in chunks, and without the size check, it would continue writing to the buffer even if it has been filled, thus overflowing it. The vulnerable function is therefore ImagingBcnEncode, and any runtime profile during the exploitation of this vulnerability would show this function in the stack trace.

Vulnerable functions

ImagingBcnEncode

src/libImaging/BcnEncode.c

The function `ImagingBcnEncode` is vulnerable to a heap-based buffer overflow. Inside an infinite loop, it writes either 8 or 16 bytes to the destination buffer `dst` in each iteration. The vulnerability lies in the insufficient bounds check. The initial fix attempted to check for `dst + 8`, but a later commit corrected it to `dst + 16` because the loop can write up to 16 bytes in one go. Without this check, a large input image could cause the function to write beyond the allocated buffer, leading to a buffer overflow.

WAF Protection Rules

WAF Rule

T**r* is * ***p *u***r ov*r*low w**n writin* * su**i*i*ntly l*r** (>**k *n*o*** wit* ****ult s*ttin*s) im*** in t** **S *orm*t *u* to writin* into * *u***r wit*out ****kin* *or *v*il**l* sp***. T*is only *****ts us*rs w*o s*v* untrust** **t* *s * *

Reasoning

T** vuln*r**ility **s*ri*** is * ***p *u***r ov*r*low in t** **S im*** *orm*t *n*o**r in t** Pillow li*r*ry. T** *n*lysis o* t** provi*** pull r*qu*st, sp**i*i**lly *ommit `****************************************` *n* `******************************

7.1

Basic Information

Concerned about an active attack path?

CVE-2025-48379: Pillow vulnerability can cause write buffer overflow on BCn encoding

7.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-48379:
Pillow vulnerability can cause write buffer overflow on BCn encoding

Vulnerability Intelligence
Miggo AI