Matplotlib 3.10.7 Wheel Contains High-Severity Pillow & FontTools Vulnerabilities (CVSS 8.1)

A critical security scan has flagged the official matplotlib-3.10.7 Python wheel package as containing multiple high-severity vulnerabilities in its dependencies, posing a direct risk to data science and AI development workflows. The scan, conducted on a project's dependency file, identified four vulnerabilities with the highest severity rated at a CVSS score of 8.1. These flaws are not in matplotlib's core code but in its transitive dependencies, Pillow and fontTools, which are automatically pulled in and used for image processing and font handling.

The primary threat stems from CVE-2023-50447 in the Pillow library (version 9.5.0), which carries a critical 8.1 CVSS score. A second high-severity issue, CVE-2023-45139 in fonttools (version 4.3), scores 7.5. The scanner's findings indicate that no direct remediation—such as a simple version upgrade—is currently available for these specific vulnerable packages within this dependency chain. This creates a silent supply chain exposure for any project relying on this standard matplotlib release, as the vulnerabilities are reachable through normal library use in image search and plotting applications.

The presence of these unpatched, high-severity flaws in a foundational data visualization library underscores the persistent risks in the open-source software supply chain. Projects utilizing this matplotlib build for AI, analytics, or automated reporting may be inadvertently introducing exploitable entry points. The situation highlights the gap between vulnerability disclosure and the availability of fixed versions in downstream, packaged distributions, leaving developers with a security debt that is difficult to resolve without altering their entire dependency stack.