GHSA-hjfx-8p6c-g7gx · Severity: medium · Ecosystem: pip — Insufficient Verification of Data Authenticity in Pillow
An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data.
Conclusion & alert: CVE-2021-28678 is rated Moderate Risk (40/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.73%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.08% | 0.73% | +0.65% |
| 2 | 2025-06-21 | 0.21% | 0.08% | -0.13% |
| 3 | 2025-06-19 | — | 0.21% | — |
Full EPSS history (12 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 5.5 | 3.1 | MEDIUM |
|
1.8 | 3.6 | [email protected] |
| 4.3 | 2.0 | MEDIUM |
|
8.6 | 2.9 | [email protected] |
GHSA-hjfx-8p6c-g7gx · Severity: medium · Ecosystem: pip — Insufficient Verification of Data Authenticity in Pillow
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
medium | CVE-2021-28678: 1 source package rows (py3-pillow); 8 state rows across 8 repos (3.17-community, 3.18-community, 3.19-community, 3.20-community, 3.21-community, 3.22-community, edge-community, edge-main); fixed 8, open 0. | https://security.alpinelinux.org/vuln/CVE-2021-28678 |
debian
|
not yet assigned | CVE-2021-28678 not yet assigned priority: Debian including 1 source packages (pillow), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2021-28678 |
gentoo
|
normal | CVE-2021-28678: 1 GLSA(s) (202107-33), 1 atom(s) (dev-python/pillow); latest impact normal. | https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2021-28678 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2021-28678 |
suse
|
high | CVE-2021-28678 severity important: SUSE including 7 source package names (python-Pillow, python-Pillow-5.2.0-3.8.1, …), 33 product×package rows across 17 product lines (HPE Helion OpenStack 8, SUSE Liberty Linux 8, … (17 product lines)): Known Not Affected 25, Fixed 8. | https://www.suse.com/security/cve/CVE-2021-28678/ |
ubuntu
|
low | CVE-2021-28678 low priority: Ubuntu including 3 source packages (pillow, pillow-python2, python-imaging), 48 status rows across 16 suites (bionic, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 28, released 14, ignored 2, needs-triage 2, not-affected 2. | https://ubuntu.com/security/CVE-2021-28678 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| python | pillow | < 8.2.0 | cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:* |
| fedoraproject | fedora | 33 | cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://github.com/python-pillow/Pillow/pull/5377 | Patch Third Party Advisory |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ | |
| https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos | Release Notes Vendor Advisory |
| https://security.gentoo.org/glsa/202107-33 | Third Party Advisory |