CVE-2021-28677

HIGH7.5EPSS 0.29%

Uncontrolled Resource Consumption in Pillow

Published: 6/8/2021Modified: 4/28/2026

Description

An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening.

Affected packages (5)

Alpine/py3-pillowfrom 0, < 8.2.0-r0
Bitnami/pillowfrom 0, < 8.2.0
Debian/pillowfrom 0, < 8.1.2+dfsg-0.2
PyPI/pillowfrom 0, < 8.2.0
PyPI/pillowfrom 0, < 8.2.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (14)

ADVISORYhttps://github.com/advisories/GHSA-q5hq-fp76-qmrc
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-28677
ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2021-28677
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-28677
PATCHhttps://github.com/python-pillow/Pillow
WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-93.yaml
WEBhttps://github.com/python-pillow/Pillow/commit/5a5e6db0abf4e7a638fb1b3408c4e495a096cb92
WEBhttps://github.com/python-pillow/Pillow/pull/5377
WEBhttps://lists.debian.org/debian-lts-announce/2021/07/msg00018.html
WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/
WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL
WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/
WEBhttps://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open
WEBhttps://security.gentoo.org/glsa/202107-33