Miggo Logo
Miggo Vulnerability Database
GHSA-56pw-mpj4-fxww

GHSA-56pw-mpj4-fxww: Bundled libwebp in Pillow vulnerable

N/A

CVSS Score

Basic Information

CVE ID
-
GHSA ID
GHSA-56pw-mpj4-fxww
EPSS Score
-
CWE
-
Published
10/5/2023
Updated
10/5/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
pillowpip< 10.0.110.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from Pillow bundling a vulnerable version of libwebp (prior to 1.3.2), specifically due to the libwebp function ReadHuffmanCodes() causing a heap buffer overflow (CVE-2023-4863/CVE-2023-5129). Pillow's own Python code does not contain the vulnerable function; the flaw resides in the underlying libwebp C library included in Pillow's wheels. The fix in Pillow v10.0.1 was to update the bundled libwebp binary, not to modify Pillow's code. Thus, no specific Pillow functions are directly vulnerable with high confidence—the issue lies in the dependency, not in Pillow's codebase.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Pillow v*rsions ***or* v**.*.* *un*l** li*w**p *in*ri*s in w***ls t**t *r* vuln*r**l* to *V*-****-**** (pr*viously *V*-****-****). Pillow v**.*.* up*r***s t** *un*l** li*w**p *in*ry to v*.*.*.

Reasoning

T** vuln*r**ility st*ms *rom Pillow *un*lin* * vuln*r**l* v*rsion o* li*w**p (prior to *.*.*), sp**i*i**lly *u* to t** li*w**p *un*tion `R****u**m*n*o**s()` **usin* * ***p *u***r ov*r*low (*V*-****-****/*V*-****-****). Pillow's own Pyt*on *o** *o*s n