CVE-2021-25292Regex Denial of Service in Pillow

CWE-1333Regex Denial of ServiceCWE-400Uncontrolled Resource ConsumptionCWE-20Improper Input Validation11 documents8 sources
Severity
6.5MEDIUMNVD
OSV9.8
EPSS
0.1%
top 64.83%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Python Pillow
Timeline
PublishedMar 19
Latest updateMay 5

Description

An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

NVDpython/pillow< 8.1.1
PyPIpython/pillow5.1.08.1.1
Debianpython/pillow< 8.1.1-1+3
Ubuntupython/pillow< 3.1.2-0ubuntu1.6+2

🔴Vulnerability Details

5
GHSA
Regular Expression Denial of Service (ReDoS) in Pillow2021-03-29
OSV
Regular Expression Denial of Service (ReDoS) in Pillow2021-03-29
OSV
CVE-2021-25292: An issue was discovered in Pillow before 82021-03-19
CVEList
CVE-2021-25292: An issue was discovered in Pillow before 82021-03-19
OSV
pillow vulnerabilities2021-03-11

📋Vendor Advisories

3
Ubuntu
Pillow vulnerabilities2021-03-11
Red Hat
python-pillow: Regular expression DoS in PDF format parser2021-02-28
Debian
CVE-2021-25292: pillow - An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular ...2021

🕵️Threat Intelligence

2
Unit42
File Transfer Threats: Risk Factors and How Network Traffic Visibility Can Help2021-05-05
Unit42
File Transfer Threats: Risk Factors and How Network Traffic Visibility Can Help2021-05-05
CVE-2021-25292 — Regex Denial of Service in Python | cvebase