Skip to content

[GHSA-jgpv-4h4c-xhw3] Uncontrolled Resource Consumption in pillow#8475

Open
yusuke-koyoshi wants to merge 1 commit into
yusuke-koyoshi/advisory-improvement-8475from
yusuke-koyoshi-GHSA-jgpv-4h4c-xhw3
Open

[GHSA-jgpv-4h4c-xhw3] Uncontrolled Resource Consumption in pillow#8475
yusuke-koyoshi wants to merge 1 commit into
yusuke-koyoshi/advisory-improvement-8475from
yusuke-koyoshi-GHSA-jgpv-4h4c-xhw3

Conversation

@yusuke-koyoshi

@yusuke-koyoshi yusuke-koyoshi commented Jul 2, 2026

Copy link
Copy Markdown

Updates

  • Affected products
  • CVSS v3
  • Severity

Comments
We would like to request the withdrawal of GHSA-jgpv-4h4c-xhw3 ("Uncontrolled Resource Consumption in pillow") from the GitHub Advisory Database. It appears to be a test advisory that was published unintentionally, and the vulnerability it describes is already correctly tracked as GHSA-f4w8-cv6p-x6r5 (CVE-2021-27921).
Reasons supporting withdrawal:

  • It is not an original advisory. It was published from rhh/pyVulApp, which appears to be a demo/test repository ("Python Vulnerable App"), not the Pillow project. Its "Impact" section is copied verbatim from the CVE-2021-27921 description, and its only reference is the NVD page for that CVE — already fully covered by GHSA-f4w8-cv6p-x6r5.
  • It still contains unedited template placeholders. The "For more information" section reads "Open an issue in example link to repo" and "Email us at example@example.com", strongly suggesting accidental publication of a draft/test.
  • The affected version range is incorrect and self-contradictory. It lists affected versions < 8.1.1 with patched version 8.1.2, leaving 8.1.1 neither affected nor patched. The actual fix for CVE-2021-27921 shipped in Pillow 8.1.2 (python-pillow/Pillow@756fff3), so the correct range is < 8.1.2, as recorded in GHSA-f4w8-cv6p-x6r5.
  • The description contradicts the range and mixes in an unrelated CVE. The "Impact" section says "Pillow before 8.1.1", and the "Patches" and "Workarounds" sections contain text copied from CVE-2019-16865 ("An issue was discovered in Pillow before 6.2.0..."), a different vulnerability.

Because this advisory adds no information beyond GHSA-f4w8-cv6p-x6r5 and its incorrect version range causes inaccurate vulnerability matches (e.g., for Pillow 8.1.1), we ask that GHSA-jgpv-4h4c-xhw3 be withdrawn.

@github

github commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

Hi there @rhh! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

Copilot AI review requested due to automatic review settings July 2, 2026 04:31
Copilot stopped work on behalf of yusuke-koyoshi due to an error July 2, 2026 04:31
@github-actions github-actions Bot changed the base branch from main to yusuke-koyoshi/advisory-improvement-8475 July 2, 2026 04:32

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to withdraw GHSA-jgpv-4h4c-xhw3 (“Uncontrolled Resource Consumption in pillow”) from the GitHub Advisory Database because it appears to be an accidentally published test/duplicate advisory for CVE-2021-27921 (already covered by GHSA-f4w8-cv6p-x6r5).

Changes:

  • Updates advisory metadata (e.g., modified) and removes the top-level CVSS severity block.
  • Alters the affected package entry (including blanking the package name and removing the upper-bounding version event).
  • Adjusts database_specific.severity.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +4 to 8
"modified": "2023-01-09T05:04:45Z",
"published": "2021-04-23T16:54:36Z",
"aliases": [],
"summary": "Uncontrolled Resource Consumption in pillow",
"details": "### Impact\n_Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large._\n\n### Patches\n_An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image._\n\n### Workarounds\n_An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image._\n\n### References\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-27921\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [example link to repo](http://example.com)\n* Email us at [example email address](mailto:example@example.com)",
Comment on lines 12 to 16
"package": {
"ecosystem": "PyPI",
"name": "pillow"
"name": ""
},
"ranges": [
"CWE-400"
],
"severity": "MODERATE",
"severity": "LOW",
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants