CVE-2021-28677Uncontrolled Resource Consumption in Pillow

CWE-400Uncontrolled Resource ConsumptionCWE-20Improper Input Validation11 documents8 sources
Severity
7.5HIGHNVD
OSV9.1
EPSS
0.3%
top 50.24%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Python PillowFedoraproject FedoraPaloalto Pan-os
Timeline
PublishedJun 2
Latest updateMar 31

Description

An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

NVDpython/pillow< 8.2.0
PyPIpython/pillow< 8.2.0
Debianpython/pillow< 8.1.2+dfsg-0.2+3
Ubuntupython/pillow< 2.3.0-1ubuntu3.4+esm5+2
Palo Altopaloalto/pan-os

Also affects: Fedora 33

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

5
OSV
pillow vulnerabilities2026-03-31
GHSA
Uncontrolled Resource Consumption in Pillow2021-06-08
OSV
Uncontrolled Resource Consumption in Pillow2021-06-08
CVEList
CVE-2021-28677: An issue was discovered in Pillow before 82021-06-02
OSV
CVE-2021-28677: An issue was discovered in Pillow before 82021-06-02

📋Vendor Advisories

5
Ubuntu
Pillow vulnerabilities2026-03-31
Palo Alto
PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS2024-02-14
Ubuntu
Pillow vulnerabilities2021-05-19
Red Hat
python-pillow: Excessive CPU use in EPS image reader2021-04-01
Debian
CVE-2021-28677: pillow - An issue was discovered in Pillow before 8.2.0. For EPS data, the readline imple...2021
CVE-2021-28677 — Uncontrolled Resource Consumption | cvebase