CVE-2025-48379
HIGH7.1EPSS 0.10%Pillow vulnerability can cause write buffer overflow on BCn encoding
Published: 7/1/2025Modified: 2/4/2026
Description
There is a heap buffer overflow when writing a sufficiently large (>64k encoded with default settings) image in the DDS format due to writing into a buffer without checking for available space. This only affects users who save untrusted data as a compressed DDS image. * Unclear how large the potential write could be. It is likely limited by process segfault, so it's not necessarily deterministic. It may be practically unbounded. * Unclear if there's a restriction on the bytes that could be emitted. It's likely that the only restriction is that the bytes would be emitted in chunks of 8 or 16. This was introduced in Pillow 11.2.0 when the feature was added.
Affected packages (3)
- Bitnami/pillow>= 11.2.0
- PyPI/pillow>= 11.2.0, < 11.3.0
- PyPI/pillowfrom 0, < 89f1f4626a2aaf5f3d5ca6437f41def2998fbe09, < ef98b3510e3e4f14b547762764813d7e5ca3c5a4 | >= 11.2.0, < 11.3.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.1 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-48379
- PATCHhttps://github.com/python-pillow/Pillow
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2025-61.yaml
- WEBhttps://github.com/python-pillow/Pillow/commit/ef98b3510e3e4f14b547762764813d7e5ca3c5a4
- WEBhttps://github.com/python-pillow/Pillow/pull/9041
- WEBhttps://github.com/python-pillow/Pillow/releases/tag/11.3.0
- WEBhttps://github.com/python-pillow/Pillow/security/advisories/GHSA-xg8h-j46f-w952