PyPI: pillow

CVE-2026-42310

Safety vulnerability ID: SFTY-20260504-68238

Safety legacy ID: pyup.io-95895

Affected versions of the pillow package are vulnerable to Denial of Service due to an unbounded loop when traversing PDF cross-reference trailer chains without cycle detection. The PdfParser module follows Prev pointers in PDF trailers to read cross-reference sections, but it does not track previously processed offsets, so a trailer whose Prev pointer references its own offset or forms a longer cycle causes the parser to loop indefinitely. A remote attacker who supplies a crafted PDF document can cause the parsing process to hang, consuming 100% CPU and rendering the consuming application unresponsive.

PythonPyPINVDNVDGitHubGHSA
Created at: May 13, 2026Updated at: May 13, 2026

Overview

Pillow has a PDF Parsing Trailer Infinite Loop (DoS)

Advisory

Affected versions of the pillow package are vulnerable to Denial of Service due to an unbounded loop when traversing PDF cross-reference trailer chains without cycle detection. The PdfParser module follows Prev pointers in PDF trailers to read cross-reference sections, but it does not track previously processed offsets, so a trailer whose Prev pointer references its own offset or forms a longer cycle causes the parser to loop indefinitely. A remote attacker who supplies a crafted PDF document can cause the parsing process to hang, consuming 100% CPU and rendering the consuming application unresponsive.

Affected Package

Affecting pillow package, versions
>=4.2.0,<12.2.0

Also affects

---

How to Fix

Upgrade
pillow
to
12.2.0
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more