CVE-2022-22817

CRITICAL

Pillow < 9.0.1 - Remote Code Execution via ImageMath.eval Expression Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-22817. PoCs published by JawadPy.

AI-analyzed exploit summary The PoC demonstrates an RCE vulnerability in Pillow's `PIL.ImageMath.eval()` function by injecting an `exec()` call to execute arbitrary code. This exploit leverages the unsafe evaluation of expressions in versions prior to 9.0.0.

Description

PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used.

Exploits (1)

github WORKING POC 1 stars
by JawadPy · pythonpoc
https://github.com/JawadPy/CVE-Exploit-Collection/tree/main/CVE-2022-22817-Exploit

The PoC demonstrates an RCE vulnerability in Pillow's `PIL.ImageMath.eval()` function by injecting an `exec()` call to execute arbitrary code. This exploit leverages the unsafe evaluation of expressions in versions prior to 9.0.0.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Pillow < 9.0.0
No auth needed
Prerequisites: Target application using `PIL.ImageMath.eval()` with untrusted input
devstral-2 · analyzed Apr 29, 2026 Full analysis →

References (6)

Core 6

Scores

CVSS v3 9.8
EPSS 0.0278
EPSS Percentile 86.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

Status published
Products (5)
debian/debian_linux 9.0
debian/debian_linux 10.0
debian/debian_linux 11.0
pypi/pillow 0 - 9.0.1PyPI
python/pillow < 9.0.1
Published Jan 10, 2022
Tracked Since Feb 18, 2026