Python Imaging Library Vulnerability in Pillow Affects GD Image Files
CVE-2026-55380

7.5HIGH

Key Information:

Status
Vendor
CVE Published:
6 July 2026

What is CVE-2026-55380?

The Pillow imaging library, widely used for handling image processing in Python applications, contains a vulnerability that allows a crafted .gd file to trigger excessive memory allocation when loaded. This issue arises in the GdImageFile._open() function, where image dimensions read from the GD 2.x header are stored without performing a proper decompression bomb check. This oversight can be exploited to impact system performance and stability. The issue is resolved in version 12.3.0, making it crucial for users to upgrade to this version to mitigate the risk.

Affected Version(s)

Pillow < 12.3.0

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.