-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| pillow | pip | < 10.0.1 | 10.0.1 |
PythonPythonMiggo AIRoot Cause AnalysisThe vulnerability stems from Pillow bundling a vulnerable version of libwebp (prior to 1.3.2), specifically due to the libwebp function ReadHuffmanCodes() causing a heap buffer overflow (CVE-2023-4863/CVE-2023-5129). Pillow's own Python code does not contain the vulnerable function; the flaw resides in the underlying libwebp C library included in Pillow's wheels. The fix in Pillow v10.0.1 was to update the bundled libwebp binary, not to modify Pillow's code. Thus, no specific Pillow functions are directly vulnerable with high confidence—the issue lies in the dependency, not in Pillow's codebase.
Ongoing coverage of React2Shell