Bundled libwebp in Pillow vulnerable

Published: Oct 5, 2023
Updated: Oct 5, 2023
GHSA: <a href="https://github.com/advisories/GHSA-56pw-mpj4-fxww" target="_blank" rel="noopener"> GHSA-56pw-mpj4-fxww
Severity: High
Exploit:

Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). Pillow v10.0.1 upgrades the bundled libwebp binary to v1.3.2.