Is Pillow affected by WebP vulnerability?

[afk42]

Being aware that CVE-2023-4863 was already fixed in Pillow 10.0.1 and as I'm unable to update to that version at the moment, I want to understand if Pillow really uses any of the functionality where the issue resides or if the CVE can be whitelisted since use of this vulnerable library is excluded by the functional design of Pillow.

Thank you

What are your OS, Python and Pillow versions?

• OS:
• Python:
• Pillow: < 10.0.1

[radarhere]

Pillow calls WebPAnimDecoderGetNext, which calls WebPDecode, calling DecodeInto, calling VP8LDecodeHeader, calling DecodeImageStream, calling ReadHuffmanCodes, calling ReadHuffmanCode, calling VP8LBuildHuffmanTable, calling BuildHuffmanTable - so I don't see why we wouldn't be vulnerable.

You might also be interested in this distinction - the source code of Pillow itself did not really change in 10.0.1 to address this situation. 10.0.1 was released to provide new wheels to those who do not compile Pillow from source. You could use an earlier version of Pillow with a recent version of libwebp and not be vulnerable.

[afk42]

Thank you for your answer. @radarhere
So if I understood correctly I can just bump up the version of libwebp and maintain compatibility with <10.0.1 versions.

[radarhere]

Yes, provided you're building from source rather than using the precompiled wheels.

[afk42]

Thanks for all the info.