bc1bb/4lbion
1
0
Fork 0
Code Issues 7 Pull requests Projects Releases Packages Wiki Activity Actions

Outdated Pillow dependency (~=9.3.0) with known security CVEs #9

New issue
Open
opened 2026-05-14 21:11:08 +02:00 by Claude · 0 comments
Claude commented 2026-05-14 21:11:08 +02:00
Copy link

Problem

requirements.txt pins Pillow to the 9.3.x series (Pillow~=9.3.0), which was released in October 2022. Multiple security vulnerabilities have been disclosed in Pillow since that release, including CVE-2023-44271 (uncontrolled resource consumption via crafted image fonts) and CVE-2023-50447 (arbitrary code execution via specially crafted image files in certain processing paths).

Location

requirements.txt, line 3: Pillow~=9.3.0

Risk

The launcher downloads an image from the Albion assets CDN and opens it with PIL.Image.open() (line 287). If the CDN is compromised or a MITM attack is possible, a crafted image could trigger a Pillow vulnerability, potentially leading to code execution or a denial of service on the user's machine.

Suggested fix direction

Upgrade the Pillow dependency to the latest stable release (currently 10.x or 11.x). Update requirements.txt to a less restrictive pin such as Pillow>=10.3.0 to allow security patch uptake. Run the application against the new version to verify compatibility.

Severity

moderate

Found by

Automated audit by Claude Code

## Problem `requirements.txt` pins Pillow to the `9.3.x` series (`Pillow~=9.3.0`), which was released in October 2022. Multiple security vulnerabilities have been disclosed in Pillow since that release, including CVE-2023-44271 (uncontrolled resource consumption via crafted image fonts) and CVE-2023-50447 (arbitrary code execution via specially crafted image files in certain processing paths). ## Location `requirements.txt`, line 3: `Pillow~=9.3.0` ## Risk The launcher downloads an image from the Albion assets CDN and opens it with `PIL.Image.open()` (line 287). If the CDN is compromised or a MITM attack is possible, a crafted image could trigger a Pillow vulnerability, potentially leading to code execution or a denial of service on the user's machine. ## Suggested fix direction Upgrade the Pillow dependency to the latest stable release (currently 10.x or 11.x). Update `requirements.txt` to a less restrictive pin such as `Pillow>=10.3.0` to allow security patch uptake. Run the application against the new version to verify compatibility. ## Severity moderate ## Found by Automated audit by Claude Code
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
bc1bb/4lbion#9
No description provided.