Login Sign Up

CVE-2021-28676

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in Pillow's FLI image decoder allows attackers to cause a denial-of-service (DoS) condition by triggering an infinite loop when processing specially crafted FLI files. It affects applications that use Pillow to load FLI format images. The impact is limited to DoS rather than code execution.

💻 Affected Systems

Products:
  • Pillow (Python Imaging Library fork)
Versions: All versions before 8.2.0
Operating Systems: All operating systems running Python with Pillow
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects FLI format image processing. Applications must use Pillow's image loading functionality.

📦 What is this software?

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Pillow by Python

View all CVEs affecting Pillow →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Application becomes unresponsive due to infinite loop, causing service disruption and potential resource exhaustion.

🟠

Likely Case

Application crashes or hangs when processing malicious FLI files, requiring restart.

🟢

If Mitigated

With proper input validation and resource limits, impact is limited to failed image processing.

🌐 Internet-Facing: MEDIUM - Web applications accepting image uploads could be DoS'd by malicious FLI files.
🏢 Internal Only: LOW - Requires user interaction to load malicious files, limited to affected applications.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit requires crafting a malicious FLI file. No authentication needed if application accepts image uploads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.2.0 and later

Vendor Advisory: https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos

Restart Required: No

Instructions:

1. Update Pillow: pip install --upgrade pillow>=8.2.0
2. Verify installation: pip show pillow
3. Restart any running Python applications using Pillow

🔧 Temporary Workarounds

Disable FLI format support

all

Remove or disable FLI format handling in Pillow configuration

Modify application code to reject FLI files before Pillow processing

Implement file type validation

all

Validate uploaded files are not FLI format before processing

Add file extension and magic number validation for image uploads

🧯 If You Can't Patch

  • Implement strict file upload validation to reject FLI files
  • Run Pillow in isolated environments with resource limits to prevent system-wide DoS

🔍 How to Verify

Check if Vulnerable:

Check Pillow version: python -c "import PIL; print(PIL.__version__)" and compare to 8.2.0

Check Version:

python -c "import PIL; print('Pillow version:', PIL.__version__)"

Verify Fix Applied:

Test with known malicious FLI file - application should reject or handle gracefully without hanging

📡 Detection & Monitoring

Log Indicators:

  • Application hanging/crashing during image processing
  • High CPU usage from Python processes
  • Failed image loading attempts

Network Indicators:

  • FLI file uploads to web applications
  • Unusual image upload patterns

SIEM Query:

source="application.log" AND ("Pillow" OR "image processing") AND ("hang" OR "crash" OR "high cpu")

📊 Metadata

CVE ID: CVE-2021-28676
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-835
Published: June 2, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-28676, you might also want to check these:

CVE-2021-42143 9.1

This vulnerability in Contiki-NG tinyDTLS allows remote attackers to cause denial of service and pot...

Same vulnerability type (CWE-835)
CVE-2026-25533 8.8

This vulnerability allows attackers to bypass multiple security layers in Enclave, a JavaScript sand...

Same vulnerability type (CWE-835)
CVE-2023-20083 8.6

A vulnerability in Cisco Firepower Threat Defense (FTD) Software's ICMPv6 inspection with Snort 2 al...

Same vulnerability type (CWE-835)