CVE-2021-23437 Overview
CVE-2021-23437 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting Python Pillow versions 5.2.0 and before 8.3.2. The vulnerability exists in the getrgb function within the ImageColor module, which processes color specifier strings without proper length validation. An attacker can exploit this flaw by supplying specially crafted, excessively long color strings that cause catastrophic backtracking in the regular expression parser, leading to denial of service conditions.
Critical Impact
Remote attackers can cause application-level denial of service by providing maliciously crafted color specifier strings to applications using vulnerable Pillow versions, potentially exhausting CPU resources and rendering services unavailable.
Affected Products
- Python Pillow versions 5.2.0 through 8.3.1
- Fedora 33 (with vulnerable Pillow packages)
- Fedora 34 (with vulnerable Pillow packages)
Discovery Timeline
- September 3, 2021 - CVE CVE-2021-23437 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-23437
Vulnerability Analysis
This vulnerability is classified as a Regular Expression Denial of Service (ReDoS) attack, which occurs when specially crafted input causes regular expression evaluation to take an excessive amount of time. In Pillow's ImageColor.py module, the getrgb function parses color specifier strings to convert them into RGB tuples. Prior to the fix, there was no validation on the length of input strings passed to this function.
When an attacker supplies an extremely long color specifier string, the regular expression matching operations within getrgb can enter a state of catastrophic backtracking. This algorithmic complexity issue causes the CPU to spend exponentially more time processing longer strings, effectively freezing the application thread handling the request.
Root Cause
The root cause is the absence of input length validation in the getrgb function before processing color specifier strings. Without a maximum length check, arbitrarily long strings can be passed to the regular expression engine, triggering worst-case algorithmic behavior. The vulnerability affects the color parsing logic in src/PIL/ImageColor.py, where color strings are matched against multiple patterns to determine the color format (hex, RGB, HSL, etc.).
Attack Vector
The attack vector is network-based, requiring no authentication or user interaction. Any application that accepts user-controlled input and passes it to Pillow's getrgb function (directly or indirectly through other Pillow APIs that parse color strings) is potentially vulnerable. Common attack scenarios include:
- Web applications that accept color parameters from users
- Image processing services that parse color specifications from API requests
- Any Python application using Pillow for image manipulation with user-supplied color values
# Security patch in src/PIL/ImageColor.py - Raise ValueError if color specifier is too long
:param color: A color string
:return: ``(red, green, blue[, alpha])``
"""
+ if len(color) > 100:
+ raise ValueError("color specifier is too long")
color = color.lower()
rgb = colormap.get(color, None)
Source: GitHub Pillow Commit
Detection Methods for CVE-2021-23437
Indicators of Compromise
- Unusual CPU spikes in Python processes running Pillow image processing
- Application threads becoming unresponsive during color parsing operations
- Timeout errors in web applications handling image color parameters
- Log entries showing excessively long color specifier strings in request parameters
Detection Strategies
- Monitor for abnormally long string parameters being passed to image processing endpoints
- Implement application-level logging for Pillow function calls with input length tracking
- Deploy runtime application self-protection (RASP) to detect ReDoS attack patterns
- Use dependency scanning tools to identify vulnerable Pillow versions in your codebase
Monitoring Recommendations
- Set up alerting for Python process CPU utilization exceeding normal thresholds
- Implement request timeout monitoring for endpoints that process color specifications
- Enable verbose logging for image processing operations during security assessments
- Regularly audit dependencies using tools like pip-audit or Snyk to identify vulnerable packages
How to Mitigate CVE-2021-23437
Immediate Actions Required
- Upgrade Python Pillow to version 8.3.2 or later immediately
- Audit applications to identify any usage of getrgb or color parsing functions with user input
- Implement input validation to reject excessively long color specifier strings at the application layer
- Consider implementing request timeouts for image processing operations as a defense-in-depth measure
Patch Information
The vulnerability was patched in Pillow version 8.3.2. The fix adds a simple length check at the beginning of the getrgb function that raises a ValueError if the color specifier string exceeds 100 characters. This prevents the regular expression engine from processing maliciously long strings.
Upgrade using pip:
pip install --upgrade Pillow>=8.3.2
For detailed information, refer to the Pillow 8.3.2 Release Notes and the security fix commit.
Workarounds
- Implement application-level input validation to limit color string length to 100 characters or less
- Add request timeout configurations to prevent long-running operations from blocking resources
- Use a web application firewall (WAF) rule to filter requests with excessively long color parameters
- Consider wrapping Pillow color parsing calls in a timeout decorator as a temporary mitigation
# Configuration example - Validate input length before passing to Pillow
# Add this validation in your application code before calling getrgb:
# if len(color_string) > 100:
# raise ValueError("Color specifier too long")
# Upgrade Pillow to patched version
pip install "Pillow>=8.3.2"
# Verify installed version
pip show Pillow | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
