CVE-2021-25289 — Out-of-bounds Write in Pillow

CWE-787 — Out-of-bounds Write CWE-120 — Classic Buffer Overflow11 documents9 sources

Severity

9.8CRITICALNVD

CNA8.8GHSA8.8OSV8.8

EPSS

0.2%

top 56.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Pillow Paloalto Pan-os

Timeline

PublishedMar 19

Latest updateSep 3

Description

An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages5 packages

▶NVDpython/pillow< 8.1.1

▶PyPIpython/pillow< 8.1.1

▶Debianpython/pillow< 8.1.1-1+3

▶Ubuntupython/pillow< 3.1.2-0ubuntu1.6+2

▶Palo Altopaloalto/pan-os

🔴Vulnerability Details

OSV

Out of bounds write in Pillow↗2021-03-29

▶

GHSA

Out of bounds write in Pillow↗2021-03-29

▶

CVEList

CVE-2021-25289: An issue was discovered in Pillow before 8↗2021-03-19

▶

OSV

CVE-2021-25289: An issue was discovered in Pillow before 8↗2021-03-19

▶

OSV

pillow vulnerabilities↗2021-03-11

▶

📋Vendor Advisories

Palo Alto

PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS↗2024-02-14

▶

Ubuntu

Pillow vulnerabilities↗2021-03-11

▶

Red Hat

python-pillow: insufficent fix for CVE-2020-35654 due to incorrect error checking in TiffDecode.c↗2021-02-28

▶

Debian

CVE-2021-25289: pillow - An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap-based buff...↗2021

▶

📄Research Papers

arXiv

VulnRepairEval: An Exploit-Based Evaluation Framework for Assessing Large Language Model Vulnerability Repair Capabilities↗2025-09-03

▶