GHSA-56pw-mpj4-fxww: Duplicate Advisory: Bundled libwebp in Pillow vulnerable

October 5, 2023 (updated May 30, 2025)

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-56pw-mpj4-fxww. This link is maintained to preserve external references.

Original Description

Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). Pillow v10.0.1 upgrades the bundled libwebp binary to v1.3.2.

References

github.com/advisories/GHSA-56pw-mpj4-fxww
github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2023-175.yaml
github.com/python-pillow/Pillow
github.com/python-pillow/Pillow/blob/main/CHANGES.rst
nvd.nist.gov/vuln/detail/CVE-2023-4863
nvd.nist.gov/vuln/detail/CVE-2023-5129

Code Behaviors & Features

Detect and mitigate GHSA-56pw-mpj4-fxww with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →