Update dependency pillow to v12 [SECURITY]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
pillow (changelog)	==11.2.1 → ==12.1.1

GitHub Vulnerability Alerts

CVE-2025-48379

There is a heap buffer overflow when writing a sufficiently large (>64k encoded with default settings) image in the DDS format due to writing into a buffer without checking for available space.

This only affects users who save untrusted data as a compressed DDS image.

• Unclear how large the potential write could be. It is likely limited by process segfault, so it's not necessarily deterministic. It may be practically unbounded.
• Unclear if there's a restriction on the bytes that could be emitted. It's likely that the only restriction is that the bytes would be emitted in chunks of 8 or 16.

This was introduced in Pillow 11.2.0 when the feature was added.

CVE-2026-25990

Impact

An out-of-bounds write may be triggered when loading a specially crafted PSD image. Pillow >= 10.3.0 users are affected.

Patches

Pillow 12.1.1 will be released shortly with a fix for this.

Workarounds

Image.open() has a formats parameter that can be used to prevent PSD images from being opened.

References

Pillow 12.1.1 will add release notes at https://pillow.readthedocs.io/en/stable/releasenotes/index.html

---

Release Notes

python-pillow/Pillow (pillow)

v12.1.1

Compare Source

v12.1.0

Compare Source

https://pillow.readthedocs.io/en/stable/releasenotes/12.1.0.html

Deprecations

• Deprecate getdata(), in favour of new get_flattened_data() #​9292 [@​radarhere]

Documentation

• Specify APNG duration type when opening #​9368 [@​radarhere]
• Added release notes for #​9350 #​9366 [@​radarhere]
• Update ImageMorph documentation #​9349 [@​radarhere]
• Docs: update major bump cadence #​9334 [@​hugovk]
• Add release notes for #​9070 #​9320 [@​radarhere]
• Updated Ubuntu version #​9306 [@​radarhere]
• Update macOS tested Pillow versions #​9265 [@​radarhere]

Dependencies

• Update harfbuzz to 12.3.0 #​9355 [@​radarhere]
• Update xz to 5.8.2 #​9343 [@​radarhere]
• Updated libjpeg-turbo to 3.1.3 #​9333 [@​radarhere]
• Updated zlib-ng to 2.3.2 #​9324 [@​radarhere]
• Updated libpng to 1.6.53 #​9325 [@​radarhere]
• Update actions/checkout action to v6 #​9323 [@​renovate[bot]]
• Update dependency mypy to v1.19.0 #​9322 [@​renovate[bot]]
• Updated libpng to 1.6.51 #​9305 [@​radarhere]
• Updated brotli to 1.2.0 #​9284 [@​radarhere]
• Update libimagequant to 4.4.1 #​9301 [@​radarhere]
• Update zlib-ng to 2.3.1, except on manylinux2014 aarch64 #​9312 [@​radarhere]
• Updated harfbuzz to 12.2.0 #​9289 [@​radarhere]
• Update github-actions #​9277 [@​renovate[bot]]

Testing

• Replace pre-commit with prek #​9360 [@​hugovk]
• Test PyQt6 on Python 3.14 on Windows #​9353 [@​radarhere]
• Test 32-bit Windows on Windows Server 2022 #​9345 [@​radarhere]
• Correct variable type #​9335 [@​radarhere]
• Fix ResourceWarnings in selftest.py #​9332 [@​hugovk]
• Fix testing good P mode BMP images #​9319 [@​radarhere]
• Test Python 3.15 pre-release #​9331 [@​hugovk]
• Test ImageFont.ImageFont, in case freetype2 is not supported #​9287 [@​radarhere]
• Add Fedora 43 #​9290 [@​radarhere]
• Remove Fedora 41 #​9260 [@​radarhere]

Type hints

• Add ImageFile context manager #​9367 [@​radarhere]
• Assert fp is not None #​8617 [@​radarhere]
• Added return type to ImageFile _close_fp() #​9356 [@​radarhere]
• Use different variables for Image and ImageFile instances #​9316 [@​radarhere]
• Correct variable type #​9335 [@​radarhere]
• Improve type hints #​9317 [@​radarhere]
• Use different variables for Image and ImageFile instances #​9268 [@​radarhere]
• Added type hints #​9269 [@​radarhere]
• Correct getitem return type #​9264 [@​radarhere]

Other changes

• Simplify band splitting #​9291 [@​radarhere]
• Support saving APNG float durations #​9365 [@​radarhere]
• Allow 1 mode images in MorphOp #​9348 [@​radarhere]
• Use minimum supported Python version for Lint #​9364 [@​radarhere]
• Allow for duplicate font variation styles #​9362 [@​radarhere]
• Call parent verify method #​9357 [@​radarhere]
• Return LUT from LutBuilder build_default_lut() #​9350 [@​radarhere]
• Simplify WebP code #​9329 [@​radarhere]
• Use unsigned long for DWORD #​9352 [@​radarhere]
• Cast to UINT32 before shifting bits #​9347 [@​radarhere]
• [pre-commit.ci] pre-commit autoupdate #​9318 [@​pre-commit-ci[bot]]
• Allow window ID to be passed to ImageGrab.grab() on macOS #​9070 [@​yankeguo]
• Apply encoder options when saving multiple PNG frames #​9300 [@​radarhere]
• Read all non-zero transparency from mode 1 PNG images as 255 #​9282 [@​radarhere]
• Support writing IFD, SIGNED_RATIONAL and InkNames TIFF tags #​9276 [@​radarhere]
• Remove unused modes #​9275 [@​radarhere]
• Correct allocating new color to RGBA palette #​9313 [@​radarhere]
• Close image on ImageFont exception #​9304 [@​radarhere]
• Reapply "Use macos-latest for iOS arm64 simulator" #​9259 [@​radarhere]
• Escape period in pre-commit-config #​9036 [@​radarhere]
• Add Apache-2.0 notice to IcoImagePlugin #​8947 [@​stefan6419846]
• [pre-commit.ci] pre-commit autoupdate #​9288 [@​pre-commit-ci[bot]]
• Simplify code now that I;16* modes are the only IMAGING_TYPE_SPECIAL #​9263 [@​radarhere]
• Remove BytesIO from DdsImagePlugin #​9273 [@​radarhere]
• Fix ZeroDivisionError in DdsImagePlugin #​9272 [@​radarhere]
• Fix warnings #​9257 [@​radarhere]

v12.0.0

Compare Source

https://pillow.readthedocs.io/en/stable/releasenotes/12.0.0.html

Removals

• Remove support for FreeType <= 2.9.0 #​9159 [@​radarhere]
• Drop support for Python 3.9 #​9119 [@​hugovk]
• Remove deprecations for Pillow 12.0.0 #​9053 [@​radarhere]

Deprecations

• Deprecate Image._show #​9186 [@​radarhere]
• Deprecate ImageCmsProfile product_name and product_info #​8995 [@​lukegb]

Documentation

• ImagingHistogramInstance can use two bands #​9251 [@​radarhere]
• Update 12.0.0 release notes #​9247 [@​hugovk]
• Added ImageDraw alpha channel examples #​9201 [@​radarhere]
• Update Python version #​9230 [@​radarhere]
• Updated macOS tested Pillow versions #​9209 [@​radarhere]
• Add GitHub profile link to release notes #​9197 [@​radarhere]
• Split versionadded info #​9190 [@​radarhere]
• Document ImageFile.MAXBLOCK #​9163 [@​radarhere]
• Updated macOS version in CI targets #​9157 [@​radarhere]
• Fix typos #​9135 [@​radarhere]
• Added "Colors" to concepts #​9067 [@​radarhere]
• Update macOS tested Pillow versions #​9068 [@​radarhere]
• Thanks, folks! #​9056 [@​aclark4life]
• Setup nit: "fork" should be lowercased #​9055 [@​aclark4life]

Dependencies

• Update dependency cibuildwheel to v3.2.1 #​9246 [@​renovate[bot]]
• [pre-commit.ci] pre-commit autoupdate #​9233 [@​pre-commit-ci[bot]]
• Update harfbuzz to 12.1.0 #​9218 [@​radarhere]
• Update libtiff to 4.7.1 #​9222 [@​radarhere]
• Update FreeType to 2.14.1 on macOS and Linux wheels #​9217 [@​radarhere]
• Update dependency cibuildwheel to v3.2.0 #​9219 [@​renovate[bot]]
• Update Ghostscript to 10.6.0 #​9202 [@​radarhere]
• Update openjpeg to 2.5.4 #​9215 [@​radarhere]
• Update harfbuzz to 11.5.0 #​9203 [@​radarhere]
• Update dependency mypy to v1.18.2 #​9213 [@​renovate[bot]]
• Update dependency mypy to v1.18.1 #​9207 [@​renovate[bot]]
• Update github-actions #​9194 [@​renovate[bot]]
• Updated harfbuzz to 11.4.5 #​9150 [@​radarhere]
• Update zlib-ng to 2.2.5 #​9140 [@​radarhere]
• Update raqm to 0.10.3 #​9137 [@​radarhere]
• Update libjpeg-turbo to 3.1.2 #​9188 [@​radarhere]
• [pre-commit.ci] pre-commit autoupdate #​9180 [@​pre-commit-ci[bot]]
• Update dependency cibuildwheel to v3.1.4 #​9164 [@​renovate[bot]]
• Update actions/checkout action to v5 #​9156 [@​renovate[bot]]
• Update actions/download-artifact action to v5 #​9141 [@​renovate[bot]]
• Updated harfbuzz to 11.3.3 #​9103 [@​radarhere]
• [pre-commit.ci] pre-commit autoupdate #​9131 [@​pre-commit-ci[bot]]
• Updated libimagequant to 4.4.0 #​9074 [@​radarhere]
• Update dependency mypy to v1.17.1 #​9130 [@​renovate[bot]]
• Update dependency cibuildwheel to v3.1.3 #​9129 [@​renovate[bot]]
• Update dependency cibuildwheel to v3.1.2 #​9118 [@​renovate[bot]]
• Updated libpng to 1.6.50 #​9058 [@​radarhere]
• Update cygwin/cygwin-install-action action to v6 #​9108 [@​renovate[bot]]
• Update dependency mypy to v1.17.0 #​9092 [@​renovate[bot]]
• Updated libwebp to 1.6.0 #​9082 [@​radarhere]
• Update dependency cibuildwheel to v3.0.1 #​9075 [@​renovate[bot]]
• [pre-commit.ci] pre-commit autoupdate #​9073 [@​pre-commit-ci[bot]]

Testing

• Check return types #​9045 [@​radarhere]
• Upgrade from macos-13 #​9212 [@​radarhere]
• Wheels CI: Check number of expected dists #​9239 [@​hugovk]
• Assert image type #​8845 [@​radarhere]
• Test GD transparency #​9196 [@​radarhere]
• Test mode when saving PPM images #​9195 [@​radarhere]
• Test unsupported BMP bitfields layout #​9193 [@​radarhere]
• Update Ghostscript to 10.6.0 #​9202 [@​radarhere]
• Use monkeypatch #​9192 [@​radarhere]
• Always check XMLPacket value #​9113 [@​radarhere]
• Rename variable to not shadow import #​9124 [@​radarhere]
• Removed unused code #​9182 [@​radarhere]
• Add has_feature_version helper #​9172 [@​radarhere]
• Replace print with assert #​9171 [@​radarhere]
• Add Debian 13 Trixie #​9147 [@​hugovk]
• Do not import from Tests directory in checks #​9143 [@​radarhere]
• Improve features test coverage #​9077 [@​radarhere]
• Remove WebP feature handling #​9096 [@​radarhere]
• Update for pyroma 5.0 #​9093 [@​radarhere]
• Improve WmfImagePlugin test coverage #​9090 [@​radarhere]
• Improve DdsImagePlugin test coverage #​9091 [@​radarhere]
• Improve ImageMath test coverage #​9087 [@​radarhere]
• Fix unclosed file warning #​9065 [@​radarhere]
• Pyroma now supports PEP 639 #​9064 [@​radarhere]

Type hints

• Install arro3 dependencies when type checking #​9254 [@​radarhere]
• Check return types #​9045 [@​radarhere]
• Assert image type #​8845 [@​radarhere]
• Move imports into TYPE_CHECKING #​9123 [@​radarhere]
• Remove support for NumPy 1.20 when type checking #​9125 [@​radarhere]

Other changes

• Use macos-14 for iOS arm64 simulator #​9258 [@​hugovk]
• Use enums for Modes and RawModes in C #​9256 [@​radarhere]
• Add ImageText #​9098 [@​radarhere]
• Shift bits before making value negative #​9255 [@​radarhere]
• Support saving variable length rational TIFF tags by default #​9241 [@​radarhere]
• Added four private SGI TIFF tags #​9245 [@​radarhere]
• Band names for arrow exported images #​9099 [@​wiredfool]
• Use macos-latest for iOS arm64 simulator #​9250 [@​radarhere]
• If pasting an image onto itself at a lower position, copy from bottom #​8882 [@​radarhere]
• Removed unused access for I;32L and I;32B #​9238 [@​radarhere]
• Corrected scientific-python-nightly-wheels pattern #​9252 [@​radarhere]
• Run sdist when scheduled, but do not upload to scientific-python-nightly-wheels index #​9248 [@​radarhere]
• Removed shebang lines and executable flags #​9179 [@​radarhere]
• Remove Pillow version from PDF comment #​9176 [@​radarhere]
• Support saving variable length rational TIFF tags #​9111 [@​radarhere]
• Build Python 3.14 on macOS 10.15 #​9234 [@​radarhere]
• Test largest CUR cursor #​9191 [@​radarhere]
• Do not unnecessarily update FLI __offset #​9184 [@​radarhere]
• Fill alpha channel when quantizing RGB images #​9133 [@​radarhere]
• Allow RGBA palettes to work with ImageOps.expand() #​9138 [@​radarhere]
• Fixed loading rotated PCD images #​9177 [@​radarhere]
• Cast before shifting bits #​9236 [@​radarhere]
• Use _ensure_mutable() #​9200 [@​radarhere]
• Seek past BeginBinary data when parsing EPS metadata #​9211 [@​radarhere]
• Do not allow negative offset with memory mapping #​9235 [@​radarhere]
• Clear C image when MPO frame image size changes #​9208 [@​radarhere]
• When converting RGBA to PA, use RGB to P quantization #​9153 [@​radarhere]
• Remove use of sudo from libavif and raqm install scripts #​9231 [@​radarhere]
• Load image palette into Python after converting to PA #​9152 [@​radarhere]
• Check all reserved bytes in FLI header #​9183 [@​radarhere]
• Limit length of read operation in ImageFont._load_pilfont_data() #​9181 [@​radarhere]
• Python 3.9 wheels are no longer needed #​9214 [@​radarhere]
• Remove unused Image _expand() #​9227 [@​radarhere]
• Updated FreeType to 2.14.1 on Windows #​9206 [@​radarhere]
• Only deprecate fromarray mode for changing data types #​9063 [@​radarhere]
• Fix reading RGB and CMYK IPTC images #​9088 [@​radarhere]
• Install zstd for libtiff on Linux wheels #​9097 [@​radarhere]
• Improve WalImageFile test coverage #​9189 [@​radarhere]
• ImageMorph operations must have length 1 #​9102 [@​radarhere]
• Set correct size for rotated PCD images after opening #​9086 [@​radarhere]
• Simplify check for GBR width and height #​9089 [@​radarhere]
• Make in parallel when building libjpeg-turbo and openjpeg for macOS and Linux wheels #​9144 [@​radarhere]
• Fix ZeroDivisionError in ImageStat #​9105 [@​radarhere]
• When deleting EXIF IFD tag, delete IFD data #​9083 [@​radarhere]
• Allow alpha_composite to use LA images #​9066 [@​radarhere]
• Improve _accept length check #​9170 [@​radarhere]
• Do not set core to DeferredError #​9166 [@​radarhere]
• Use macos-14 for iOS arm64 simulator #​9161 [@​radarhere]
• Make in parallel when building brotli and libavif for macOS and Linux wheels #​9142 [@​radarhere]
• Use Python 3.14 for gcc problem matching #​9134 [@​radarhere]
• Add libavif support for iOS #​9117 [@​freakboy3742]
• Restore pyroma test for iOS #​9116 [@​freakboy3742]
• Use correct bands for two band histograms #​9054 [@​radarhere]
• Add support for Python 3.14 #​9120 [@​hugovk]
• Drop support for PyPy3.10 #​9112 [@​radarhere]
• Add parallel compile from pybind11 #​8990 [@​wiredfool]
• Remove unused _save_cjpeg #​9084 [@​radarhere]
• Ensure dynamic libjpeg libraries are not linked #​9081 [@​freakboy3742]
• Remove reference to libtiff 3.x #​9072 [@​radarhere]
• Restored manylinux2014 wheels #​9059 [@​radarhere]

v11.3.0

Compare Source

https://pillow.readthedocs.io/en/stable/releasenotes/11.3.0.html

Deprecations

• Deprecate fromarray mode argument #​9018 [@​radarhere]
• Deprecate saving I mode images as PNG #​9023 [@​radarhere]

Documentation

• Added release notes for #​9041 #​9042 [@​radarhere]
• Add release notes for #​8912 and #​8969 #​9019 [@​radarhere]
• ImageFont does not handle multiline text #​9000 [@​radarhere]
• Updated Ubuntu CI targets #​8988 [@​radarhere]
• Update MinGW package names #​8987 [@​H4M5TER]
• Updated docstring #​8943 [@​radarhere]
• Mention that tobytes() with the raw encoder uses Pack.c #​8878 [@​radarhere]
• Refactor docs Makefile #​8933 [@​hugovk]
• Add template for quarterly release issue #​8932 [@​aclark4life]
• Add list of third party plugins #​8910 [@​radarhere]
• Update redirected URL #​8919 [@​radarhere]
• Docs: use sentence case for headers #​8914 [@​hugovk]
• Docs: remove unused Makefile targets #​8917 [@​hugovk]
• Remove indentation from lists #​8915 [@​radarhere]
• Python 3.13 is tested on Arch #​8894 [@​radarhere]
• Move XV Thumbnails to read only section #​8893 [@​aclark4life]
• Updated macOS tested Pillow versions #​8890 [@​radarhere]

Dependencies

• Add AVIF to wheels using only aomenc and dav1d AVIF codecs for reduced size #​8858 [@​fdintino]
• Use same AVIF URL when fetching dependency #​8871 [@​radarhere]
• Update dependency mypy to v1.16.1 #​9026 [@​renovate[bot]]
• Update libpng to 1.6.49 #​9014 [@​radarhere]
• Update dependency cibuildwheel to v3 #​9010 [@​renovate[bot]]
• Updated libjpeg-turbo to 3.1.1 #​9009 [@​radarhere]
• Update dependency mypy to v1.16.0 #​8991 [@​renovate[bot]]
• Updated libpng to 1.6.48 #​8940 [@​radarhere]
• Updated Ghostscript to 10.5.1 #​8939 [@​radarhere]
• Updated harfbuzz to 11.2.1 #​8937 [@​radarhere]
• Updated libavif to 1.3.0 #​8949 [@​radarhere]
• Update dependency cibuildwheel to v2.23.3 #​8931 [@​renovate[bot]]
• Updated harfbuzz to 11.1.0 #​8904 [@​radarhere]

Testing

• Add match parameter to pytest.warns() #​9038 [@​hugovk]
• Increase pytest verbosity #​9040 [@​radarhere]
• Improve SgiImagePlugin test coverage #​8896 [@​radarhere]
• Update ruff pre-commit ID #​8994 [@​radarhere]
• Only check DHT marker for libjpeg-turbo #​9025 [@​radarhere]
• Improve BLP tests #​9020 [@​radarhere]
• Fix warning #​9016 [@​radarhere]
• Test Python 3.14t on macOS and Linux #​9011 [@​radarhere]
• Only accept missing tkinter when building wheels on Windows #​8981 [@​radarhere]
• Fix test #​8996 [@​radarhere]
• Stop testing deprecated Windows Server 2019 runner image #​8989 [@​radarhere]
• Run slow tests on valgrind, but without timeout #​8975 [@​radarhere]
• Close file pointer earlier #​8895 [@​radarhere]
• Added Fedora 42 #​8899 [@​radarhere]
• Removed Fedora 40 #​8887 [@​radarhere]

Type hints

• Assert palette is not None #​8877 [@​radarhere]
• Do not import type checking #​8854 [@​radarhere]
• Improve type hints #​8883 [@​radarhere]
• Update dependency mypy to v1.16.0 #​8991 [@​renovate[bot]]

Other changes

• Updated check script paths #​9052 [@​radarhere]
• Raise FileNotFoundError when opening an empty path #​9048 [@​radarhere]
• Handle IPTC TIFF tags with incorrect type #​8925 [@​radarhere]
• Do not update palette for L mode GIF frame #​8924 [@​radarhere]
• Use save parameters as encoderinfo defaults #​9001 [@​radarhere]
• Add support for iOS #​9030 [@​freakboy3742]
• Fix qtables and quality scaling #​8879 [@​Kyliroco]
• Read 16-bit McIdas images into I;16B mode to allow for memory mapping #​9046 [@​radarhere]
• Support ttb multiline text #​8730 [@​radarhere]
• Use unpacking #​9044 [@​radarhere]
• Fix saving MPO with more than one appended image #​8979 [@​radarhere]
• Restore original encoderinfo after saving #​8942 [@​radarhere]
• Return PixelAccess from first load of ICO and IPTC images #​8922 [@​radarhere]
• Improve justifying text #​8905 [@​radarhere]
• Set color table fourth channel to zero for 1 and L mode when saving BMP #​8889 [@​radarhere]
• Improve reading XPM images #​8874 [@​radarhere]
• Fix buffer overflow when saving compressed DDS images #​9041 [@​radarhere]
• Use PEP 489 multi-phase initialization #​8983 [@​radarhere]
• Support saving I;16L TIFF images #​9015 [@​radarhere]
• Do not call sys.executable in ImageShow in PyInstaller application #​9028 [@​radarhere]
• Search for libtiff library file first on Windows and macOS #​9034 [@​radarhere]
• Fix libtiff cleanup #​9002 [@​radarhere]
• Use percent formatting for _dbg calls #​9035 [@​radarhere]
• Removed ImageCmsProfile._set method #​9032 [@​radarhere]
• Added Python 3.14 macOS x86-64 wheels #​9031 [@​radarhere]
• Support writing QOI images #​9007 [@​thisismypassport]
• Simplify C error handling #​9021 [@​radarhere]
• Add Python 3.14 beta wheels #​9012 [@​hugovk]
• Remove padding between interleaved PCX palette data #​9005 [@​radarhere]
• Start QOI decoding with a zero-initialized array of previously seen pixels #​9008 [@​radarhere]
• Correct drawing I;16 horizontal lines #​8985 [@​radarhere]
• Reduce number of bytes read for PCX header #​9004 [@​radarhere]
• Handle XMP data from an UNDEFINED TIFF tag #​8997 [@​radarhere]
• Do not decode bytes in PPM error message #​8958 [@​radarhere]
• Parse XMP tag bytes without decoding to string #​8960 [@​radarhere]
• Clear TIFF core image if memory mapping was used for last load #​8962 [@​radarhere]
• Use mask in C when drawing wide polygon lines #​8984 [@​radarhere]
• Simplify code #​8863 [@​radarhere]
• Call startswith once with a tuple #​8998 [@​radarhere]
• [pre-commit.ci] pre-commit autoupdate #​8993 [@​pre-commit-ci[bot]]
• Use ImageFile.MAXBLOCK in tobytes() #​8906 [@​radarhere]
• Removed unreachable code #​8918 [@​radarhere]
• Valgrind Memory Leak Checking #​8954 [@​wiredfool]
• Add parallel tes

---

Configuration

📅 Schedule: Branch creation - "" in timezone Etc/UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.