PyPI: pillow

CVE-2026-40192

Safety vulnerability ID: SFTY-20260413-34319

Safety legacy ID: pyup.io-93093

Affected versions of the pillow package are vulnerable to Denial of Service due to unrestricted GZIP-compressed data consumption during FITS image decoding. The FITS image plugin does not limit the amount of GZIP-compressed data read when processing a FITS file, allowing unbounded memory allocation. An attacker can supply a specially crafted FITS file containing a GZIP decompression bomb, causing an out-of-memory crash or severe performance degradation.

PythonPyPINVDNVDGitHubGHSA
Created at: Apr 27, 2026Updated at: Apr 27, 2026

Overview

FITS GZIP decompression bomb in Pillow

Advisory

Affected versions of the pillow package are vulnerable to Denial of Service due to unrestricted GZIP-compressed data consumption during FITS image decoding. The FITS image plugin does not limit the amount of GZIP-compressed data read when processing a FITS file, allowing unbounded memory allocation. An attacker can supply a specially crafted FITS file containing a GZIP decompression bomb, causing an out-of-memory crash or severe performance degradation.

Affected Package

Affecting pillow package, versions
>=10.3.0,<12.2.0

Also affects

---

How to Fix

Upgrade
pillow
to
12.2.0
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more