Pillow Library Vulnerability CVE-2026-40192 Prompts Urgent Dependency Update in Production Code

A high-severity vulnerability in the Pillow imaging library has forced an immediate dependency overhaul in a production codebase. The issue, tracked as CVE-2026-40192, is a decompression-bomb denial-of-service flaw affecting Pillow versions 10.3.0 through 12.1.1. The vulnerability resides in the library's FITS image decoder, which fails to limit the amount of GZIP-compressed data it reads, creating a vector for a resource-exhaustion attack. Security scanning with Trivy flagged the installed version, `[email protected]`, as being within the vulnerable range and triggered the remediation effort.

The root cause was traced to dependency constraints across multiple project groups. The `tools`, `pillow`, `diffusion`, and `tests` dependency groups in the `pyproject.toml` file all specified `Pillow>=12.1.1`. This allowed the Poetry package manager to resolve and lock the dependency to the exact vulnerable version, 12.1.1. The Pillow library is not a peripheral dev tool but is actively used in production code, specifically within modules for image perturbation and dataset interoperability, making the exposure operational.

The fix involved a systematic bump of the minimum version constraint to `>=12.2.0` across all relevant dependency groups and a regeneration of the `poetry.lock` file to enforce installation of the patched version. This action directly addresses the HIGH-severity CVE by moving the codebase to Pillow 12.2.0, which contains the necessary limits on GZIP data reading during FITS image decoding to mitigate the decompression-bomb risk.