VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-2ekx-yp9c-vugw

Essentials
Severities (49)
References (18)
Severity details (23)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-2ekx-yp9c-vugw
Aliases	BIT-pillow-2025-48379 CVE-2025-48379 GHSA-xg8h-j46f-w952 PYSEC-2025-61
Summary	Pillow is a Python imaging library. In versions 11.2.0 to before 11.3.0, there is a heap buffer overflow when writing a sufficiently large (>64k encoded with default settings) image in the DDS format due to writing into a buffer without checking for available space. This only affects users who save untrusted data as a compressed DDS image. This issue has been patched in version 11.3.0.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-122	Heap-based Buffer Overflow
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	7.1	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-48379.json
epss	0.00013	https://api.first.org/data/v1/epss?cve=CVE-2025-48379
epss	0.00013	https://api.first.org/data/v1/epss?cve=CVE-2025-48379
epss	0.00013	https://api.first.org/data/v1/epss?cve=CVE-2025-48379
epss	0.00015	https://api.first.org/data/v1/epss?cve=CVE-2025-48379
epss	0.00015	https://api.first.org/data/v1/epss?cve=CVE-2025-48379
epss	0.00015	https://api.first.org/data/v1/epss?cve=CVE-2025-48379
epss	0.00015	https://api.first.org/data/v1/epss?cve=CVE-2025-48379
epss	0.00015	https://api.first.org/data/v1/epss?cve=CVE-2025-48379
epss	0.00015	https://api.first.org/data/v1/epss?cve=CVE-2025-48379
epss	0.00015	https://api.first.org/data/v1/epss?cve=CVE-2025-48379
epss	0.00015	https://api.first.org/data/v1/epss?cve=CVE-2025-48379
epss	0.00015	https://api.first.org/data/v1/epss?cve=CVE-2025-48379
epss	0.00015	https://api.first.org/data/v1/epss?cve=CVE-2025-48379
epss	0.00015	https://api.first.org/data/v1/epss?cve=CVE-2025-48379
epss	0.00015	https://api.first.org/data/v1/epss?cve=CVE-2025-48379
epss	0.00015	https://api.first.org/data/v1/epss?cve=CVE-2025-48379
epss	0.00015	https://api.first.org/data/v1/epss?cve=CVE-2025-48379
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2025-48379
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2025-48379
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2025-48379
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2025-48379
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2025-48379
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2025-48379
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2025-48379
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2025-48379
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2025-48379
cvssv3.1	7.8	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-xg8h-j46f-w952
cvssv3.1	7.1	https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2025-61.yaml
generic_textual	HIGH	https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2025-61.yaml
cvssv3.1	7.1	https://github.com/python-pillow/Pillow
generic_textual	HIGH	https://github.com/python-pillow/Pillow
cvssv3.1	7.1	https://github.com/python-pillow/Pillow/commit/ef98b3510e3e4f14b547762764813d7e5ca3c5a4
generic_textual	HIGH	https://github.com/python-pillow/Pillow/commit/ef98b3510e3e4f14b547762764813d7e5ca3c5a4
ssvc	Track	https://github.com/python-pillow/Pillow/commit/ef98b3510e3e4f14b547762764813d7e5ca3c5a4
cvssv3.1	7.1	https://github.com/python-pillow/Pillow/pull/9041
generic_textual	HIGH	https://github.com/python-pillow/Pillow/pull/9041
ssvc	Track	https://github.com/python-pillow/Pillow/pull/9041
cvssv3.1	7.1	https://github.com/python-pillow/Pillow/releases/tag/11.3.0
generic_textual	HIGH	https://github.com/python-pillow/Pillow/releases/tag/11.3.0
ssvc	Track	https://github.com/python-pillow/Pillow/releases/tag/11.3.0
cvssv3.1	7.1	https://github.com/python-pillow/Pillow/security/advisories/GHSA-xg8h-j46f-w952
cvssv3.1_qr	HIGH	https://github.com/python-pillow/Pillow/security/advisories/GHSA-xg8h-j46f-w952
generic_textual	HIGH	https://github.com/python-pillow/Pillow/security/advisories/GHSA-xg8h-j46f-w952
ssvc	Track	https://github.com/python-pillow/Pillow/security/advisories/GHSA-xg8h-j46f-w952
cvssv3.1	7.1	https://nvd.nist.gov/vuln/detail/CVE-2025-48379
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2025-48379
archlinux	High	https://security.archlinux.org/AVG-2906

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-48379.json
		https://api.first.org/data/v1/epss?cve=CVE-2025-48379
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2025-61.yaml
		https://github.com/python-pillow/Pillow
		https://github.com/python-pillow/Pillow/commit/ef98b3510e3e4f14b547762764813d7e5ca3c5a4
		https://github.com/python-pillow/Pillow/pull/9041
		https://github.com/python-pillow/Pillow/releases/tag/11.3.0
		https://github.com/python-pillow/Pillow/security/advisories/GHSA-xg8h-j46f-w952
		https://nvd.nist.gov/vuln/detail/CVE-2025-48379
2375795		https://bugzilla.redhat.com/show_bug.cgi?id=2375795
AVG-2906		https://security.archlinux.org/AVG-2906
GHSA-xg8h-j46f-w952		https://github.com/advisories/GHSA-xg8h-j46f-w952
RHSA-2025:15832		https://access.redhat.com/errata/RHSA-2025:15832
RHSA-2025:15837		https://access.redhat.com/errata/RHSA-2025:15837
RHSA-2025:15838		https://access.redhat.com/errata/RHSA-2025:15838
RHSA-2025:15841		https://access.redhat.com/errata/RHSA-2025:15841
RHSA-2025:15843		https://access.redhat.com/errata/RHSA-2025:15843

No exploits are available.

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-48379.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H Found at https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2025-61.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H Found at https://github.com/python-pillow/Pillow

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H Found at https://github.com/python-pillow/Pillow/commit/ef98b3510e3e4f14b547762764813d7e5ca3c5a4

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-01T19:42:09Z/ Found at https://github.com/python-pillow/Pillow/commit/ef98b3510e3e4f14b547762764813d7e5ca3c5a4

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H Found at https://github.com/python-pillow/Pillow/pull/9041

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-01T19:42:09Z/ Found at https://github.com/python-pillow/Pillow/pull/9041

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H Found at https://github.com/python-pillow/Pillow/releases/tag/11.3.0

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-01T19:42:09Z/ Found at https://github.com/python-pillow/Pillow/releases/tag/11.3.0

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H Found at https://github.com/python-pillow/Pillow/security/advisories/GHSA-xg8h-j46f-w952

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-01T19:42:09Z/ Found at https://github.com/python-pillow/Pillow/security/advisories/GHSA-xg8h-j46f-w952

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2025-48379

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.01395
EPSS Score	0.00013
Published At	July 30, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-31T08:27:38.946605+00:00	Pypa Importer	Import	https://github.com/pypa/advisory-database/blob/main/vulns/pillow/PYSEC-2025-61.yaml	37.0.0