Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).

Affected Packages

PyPI Pillow

Affected versions: 0 (fixed in 10.2.0)

Related CVEs

CVE-2023-50447

Key Information

GHSA ID

GHSA-3f63-hfp8-52jq

Published

January 19, 2024 9:30 PM

Last Modified

November 18, 2024 4:26 PM

CVSS Score

9.0 /10

Primary Ecosystem

PyPI

Primary Package

Pillow

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 12, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.