CVE-2025-48379: 
Python vulnerability analysis and mitigation

CVE-2025-48379 affects Pillow, a Python imaging library, in versions 11.2.0 to before 11.3.0. The vulnerability was discovered in June 2025 and patched in version 11.3.0, released on July 1, 2025. The issue involves a heap buffer overflow vulnerability when writing sufficiently large images (>64KB when encoded with default settings) in the DDS format, due to writing into a buffer without checking for available space (GitHub Advisory, NVD).

The vulnerability is classified as a heap-based buffer overflow (CWE-122) with a CVSS v3.1 base score of 7.1 (High). The attack vector is local (AV:L), with low attack complexity (AC:L), requiring low privileges (PR:L), and no user interaction (UI:N). The scope is unchanged (S:U), with no impact on confidentiality (C:N) but high impact on integrity and availability (I:H, A:H). The issue specifically occurs in the BCn encoding process when writing compressed DDS images, where the code writes into a buffer without proper space verification (GitHub Advisory).

The vulnerability can lead to heap memory corruption when processing untrusted data saved as compressed DDS images. The potential write overflow could be practically unbounded, limited only by process segfault, making it non-deterministic. The bytes would likely be emitted in chunks of 8 or 16, potentially allowing for arbitrary code execution (GitHub Advisory).

The vulnerability has been patched in Pillow version 11.3.0. Users are advised to upgrade to this version or later to address the issue. The fix involves adding proper buffer space verification checks before writing to memory (GitHub Release).