feat(deps): [SECURITY] Update dependency pillow to <12.1.2,>=12.1.1 [SECURITY] #558

Merged

renovate-bot merged 1 commits from renovate/pypi-pillow-vulnerability into main 2026-02-14 13:38:45 +00:00

Conversation 2 Commits 1 Files Changed 2 +58 -58

renovate-bot commented 2026-02-11 17:56:07 +00:00

Member

Copy Link

This PR contains the following updates:

Package	Change	Age	Confidence
pillow (changelog)	<12.1.1,>=12.1.0 → <12.1.2,>=12.1.1

---

Pillow affected by out-of-bounds write when loading PSD images

CVE-2026-25990 / GHSA-cfh3-3jmp-rvhc

More information

Details

Impact

An out-of-bounds write may be triggered when loading a specially crafted PSD image. Pillow >= 10.3.0 users are affected.

Patches

Pillow 12.1.1 will be released shortly with a fix for this.

Workarounds

Image.open() has a formats parameter that can be used to prevent PSD images from being opened.

References

Pillow 12.1.1 will add release notes at https://pillow.readthedocs.io/en/stable/releasenotes/index.html

Severity

• CVSS Score: Unknown
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References

• https://github.com/python-pillow/Pillow/security/advisories/GHSA-cfh3-3jmp-rvhc
• https://nvd.nist.gov/vuln/detail/CVE-2026-25990
• https://github.com/python-pillow/Pillow/pull/9427
• https://github.com/python-pillow/Pillow/commit/54ba4db542ad3c7b918812a4e2d69c27735a3199
• https://github.com/python-pillow/Pillow/commit/9000313cc5d4a31bdcdd6d7f0781101abab553aa
• https://github.com/python-pillow/Pillow
• https://pillow.readthedocs.io/en/stable/releasenotes/12.1.1.html

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

python-pillow/Pillow (pillow)

v12.1.1

Compare Source

https://pillow.readthedocs.io/en/stable/releasenotes/12.1.1.html

Dependencies

• Patch libavif for svt-av1 4.0 compatibility #​9413 [@​hugovk]

Other changes

• Fix OOB Write with invalid tile extents #​9427 [@​radarhere]

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [pillow](https://github.com/python-pillow/Pillow) ([changelog](https://github.com/python-pillow/Pillow/releases)) | `<12.1.1,>=12.1.0` → `<12.1.2,>=12.1.1` |  |  | --- ### Pillow affected by out-of-bounds write when loading PSD images [CVE-2026-25990](https://nvd.nist.gov/vuln/detail/CVE-2026-25990) / [GHSA-cfh3-3jmp-rvhc](https://github.com/advisories/GHSA-cfh3-3jmp-rvhc) <details> <summary>More information</summary> #### Details ##### Impact An out-of-bounds write may be triggered when loading a specially crafted PSD image. Pillow >= 10.3.0 users are affected. ##### Patches Pillow 12.1.1 will be released shortly with a fix for this. ##### Workarounds `Image.open()` has a `formats` parameter that can be used to prevent PSD images from being opened. ##### References Pillow 12.1.1 will add release notes at https://pillow.readthedocs.io/en/stable/releasenotes/index.html #### Severity - CVSS Score: Unknown - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P` #### References - [https://github.com/python-pillow/Pillow/security/advisories/GHSA-cfh3-3jmp-rvhc](https://github.com/python-pillow/Pillow/security/advisories/GHSA-cfh3-3jmp-rvhc) - [https://nvd.nist.gov/vuln/detail/CVE-2026-25990](https://nvd.nist.gov/vuln/detail/CVE-2026-25990) - [https://github.com/python-pillow/Pillow/pull/9427](https://github.com/python-pillow/Pillow/pull/9427) - [https://github.com/python-pillow/Pillow/commit/54ba4db542ad3c7b918812a4e2d69c27735a3199](https://github.com/python-pillow/Pillow/commit/54ba4db542ad3c7b918812a4e2d69c27735a3199) - [https://github.com/python-pillow/Pillow/commit/9000313cc5d4a31bdcdd6d7f0781101abab553aa](https://github.com/python-pillow/Pillow/commit/9000313cc5d4a31bdcdd6d7f0781101abab553aa) - [https://github.com/python-pillow/Pillow](https://github.com/python-pillow/Pillow) - [https://pillow.readthedocs.io/en/stable/releasenotes/12.1.1.html](https://pillow.readthedocs.io/en/stable/releasenotes/12.1.1.html) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-cfh3-3jmp-rvhc) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>python-pillow/Pillow (pillow)</summary> ### [`v12.1.1`](https://github.com/python-pillow/Pillow/releases/tag/12.1.1) [Compare Source](https://github.com/python-pillow/Pillow/compare/12.1.0...12.1.1) <https://pillow.readthedocs.io/en/stable/releasenotes/12.1.1.html> #### Dependencies - Patch libavif for svt-av1 4.0 compatibility [#&#8203;9413](https://github.com/python-pillow/Pillow/issues/9413) \[[@&#8203;hugovk](https://github.com/hugovk)] #### Other changes - Fix OOB Write with invalid tile extents [#&#8203;9427](https://github.com/python-pillow/Pillow/issues/9427) \[[@&#8203;radarhere](https://github.com/radarhere)] </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My44LjIiLCJ1cGRhdGVkSW5WZXIiOiI0My44LjUiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbInNlY3VyaXR5Il19-->

renovate-bot added the security label 2026-02-11 17:56:07 +00:00

renovate-bot added 1 commit 2026-02-11 17:56:08 +00:00

[SECURITY] Update dependency pillow to <12.1.2,>=12.1.1 [SECURITY] 5b4c860878

renovate-bot requested review from luke 2026-02-11 17:56:08 +00:00

renovate-bot scheduled this pull request to auto merge when all checks succeed 2026-02-11 17:56:20 +00:00

luke changed title from [SECURITY] Update dependency pillow to <12.1.2,>=12.1.1 [SECURITY] to feat(deps): [SECURITY] Update dependency pillow to <12.1.2,>=12.1.1 [SECURITY] 2026-02-14 13:37:16 +00:00

luke approved these changes 2026-02-14 13:37:23 +00:00

Dismissed

luke force-pushed renovate/pypi-pillow-vulnerability from 5b4c860878 to 1cc7c0cf73 2026-02-14 13:37:30 +00:00 Compare

luke dismissed luke's review 2026-02-14 13:37:30 +00:00

Reason:

New commits pushed, approval review dismissed automatically according to repository settings

renovate-bot requested review from luke 2026-02-14 13:37:30 +00:00

luke approved these changes 2026-02-14 13:38:43 +00:00

renovate-bot merged commit 80b4bc0054 into main 2026-02-14 13:38:45 +00:00

renovate-bot deleted branch renovate/pypi-pillow-vulnerability 2026-02-14 13:38:45 +00:00

renovate-bot referenced this issue from a commit 2026-02-14 13:38:47 +00:00

[SECURITY] Update dependency pillow to <12.1.2,>=12.1.1 [SECURITY] (#558)

Sign in to join this conversation.

Reviewers

No Reviewers

luke

Labels

Clear labels

blocked

bug

Something isn't working

dependencies

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

enhancement

New feature or request

good first issue

Good for newcomers

help wanted

Extra attention is needed

invalid

This doesn't seem right

linting

question

Further information is requested

security

type

bugfix

type

dependencies

type

feature

type

other

unit-tests

wontfix

This will not be worked on

Compat/Breaking

Breaking change that won't be backward compatible

Kind/Bug

Something is not working

Kind/Documentation

Documentation changes

Kind/Enhancement

Improve existing functionality

Kind/Feature

New functionality

Kind/Security

This is security issue

Kind/Testing

Issue or pull request related to testing

Priority

Critical

The priority is critical

Priority

High

The priority is high

Priority

Low

The priority is low

Priority

Medium

The priority is medium

Reviewed

Confirmed

Issue has been confirmed

Reviewed

Duplicate

This issue or pull request already exists

Reviewed

Invalid

Invalid issue

Reviewed

Won't Fix

This issue won't be fixed

Status

Abandoned

Somebody has started to work on this but abandoned work

Status

Blocked

Something is blocking this issue or pull request

Status

Need More Info

Feedback is required to reproduce issue or to continue work

No Label security

Milestone

No items

No Milestone

Assignees

Clear assignees

Alexander.Lyall ai-review-bot gitea-actions-bot luke renovate-bot

No Assignees

2 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: repos/webexmemebot#558