Search for vulnerabilities
Vulnerability details: VCID-zf32-mcdq-ubhy
Vulnerability ID VCID-zf32-mcdq-ubhy
Aliases GHSA-4fx9-vc88-q2xc
GMS-2022-347
Summary Infinite loop in Pillow JpegImagePlugin may append an EOF marker to the end of a truncated file, so that the last segment of the data will still be processed by the decoder. If the EOF marker is not detected as such however, this could lead to an infinite loop where JpegImagePlugin keeps trying to end the file.
Status Published
Exploitability 0.5
Weighted Severity 2.7
Risk 1.4
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-400 Uncontrolled Resource Consumption
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1_qr LOW https://github.com/advisories/GHSA-4fx9-vc88-q2xc
generic_textual LOW https://github.com/python-pillow/Pillow
generic_textual LOW https://github.com/python-pillow/Pillow/commit/baae9ec4b67c68e3adaf1208cf54e8de5e38a6fd
generic_textual LOW https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#ensure-jpegimageplugin-stops-at-the-end-of-a-truncated-file
Reference id Reference type URL
https://github.com/python-pillow/Pillow
https://github.com/python-pillow/Pillow/commit/baae9ec4b67c68e3adaf1208cf54e8de5e38a6fd
https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#ensure-jpegimageplugin-stops-at-the-end-of-a-truncated-file
GHSA-4fx9-vc88-q2xc https://github.com/advisories/GHSA-4fx9-vc88-q2xc
No exploits are available.

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2025-07-31T09:03:39.477321+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-4fx9-vc88-q2xc/GHSA-4fx9-vc88-q2xc.json 37.0.0