CVE-2019-19911

Name of the Vulnerable Software and Affected Versions Pillow versions prior to 6.2.2

Description The issue is caused by the FpxImagePlugin.py file calling the range function on an unvalidated 32-bit integer, which can lead to a denial of service (DoS) if the number of bands is large. On Windows running 32-bit Python, this results in an OverflowError or MemoryError due to the 2 GB limit. On Linux running 64-bit Python, the process is terminated by the OOM killer. The vulnerability can be exploited by a remote attacker to cause a denial of service.

Recommendations For Pillow versions prior to 6.2.2, update to version 6.2.2 or later to resolve the issue. As a temporary workaround, consider disabling the FpxImagePlugin.py file until a patch is available. Restrict access to the FpxImagePlugin.py module to minimize the risk of exploitation. Avoid using the range function with unvalidated integers in the affected API endpoint until the issue is resolved.