Safeguard
Tag

pillow

Safeguard articles tagged "pillow" — guides, analysis, and best practices for software supply chain and application security.

7 articles

Security Guides

Pillow (PIL) Security Guide (2026)

Pillow is the default image library for Python — and because it parses untrusted image bytes and once shipped an eval-based ImageMath, it has a long, real CVE history spanning arbitrary code execution and native buffer overflows.

Jul 4, 20266 min read
Vulnerability Analysis

CVE-2022-22817: Arbitrary code execution in Pillow via Im...

CVE-2022-22817 lets attackers achieve arbitrary code execution via Pillow's ImageMath.eval() when environment data is attacker-controlled. Patch to 9.0.1+.

Oct 6, 20258 min read
Application Security

CVE-2021-25287: Buffer overflow in Pillow SGI decoder

A heap buffer overflow in Pillow's SGI image decoder (CVE-2021-25287) let crafted images corrupt memory. Here's the impact, fix, and remediation guidance.

Oct 5, 20258 min read
Application Security

CVE-2021-25288: Buffer overflow in Pillow FLI decoder

CVE-2021-25288 is a buffer overflow in Pillow's FLI decoder, fixed in Pillow 8.1.0. Here's what's affected, the risk profile, and how to remediate.

Oct 5, 20258 min read
Vulnerability Analysis

CVE-2020-35654: Buffer over-read in Pillow PCX decoder

A buffer over-read in Pillow's PCX decoder (CVE-2020-35654) could crash image-processing services on crafted files. Here's the fix and detection guidance.

Oct 5, 20257 min read
Vulnerability Analysis

CVE-2020-35655: Decompression bomb DoS in Pillow

A crafted image file could force Pillow to over-allocate memory, causing denial of service. Here's what CVE-2020-35655 affects, its severity, and how to remediate it.

Oct 5, 20257 min read
Vulnerability Analysis

CVE-2023-50447: Arbitrary code execution via Pillow Image...

A patch bypass in Pillow's ImageMath.eval() reopens arbitrary code execution first flagged in CVE-2022-22817. Here's what changed and how to remediate it.

Oct 4, 20258 min read
pillow — Safeguard Blog