Heap Buffer Overflow in Python Imaging Library Pillow Affects Multiple Versions
CVE-2025-48379

7.1HIGH

Key Information:

Vendor

Python-pillow

Status
Pillow
Vendor
CVE Published:
1 July 2025

What is CVE-2025-48379?

Versions 11.2.0 to before 11.3.0 of the Pillow library, a popular Python imaging package, contain a vulnerability that allows a heap buffer overflow when processing large DDS format images exceeding 64k without proper boundary checks. This flaw could be exploited if an attacker persuades a user to save untrusted data as a compressed DDS image, leading to potential data corruption or execution of arbitrary code. The issue has been resolved in version 11.3.0.

Affected Version(s)

Pillow >= 11.2.0, < 11.3.0

References

https://github.com/python-pillow/Pillow/security/advisori...
x_refsource_CONFIRM
https://github.com/python-pillow/Pillow/pull/9041
x_refsource_MISC
https://github.com/python-pillow/Pillow/commit/ef98b3510e...
x_refsource_MISC

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-48379 : Heap Buffer Overflow in Python Imaging Library Pillow Affects Multiple Versions