Wagtail sites with WebP support and Pillow < 10.0.1 are vulnerable when users upload a malicious image.
In the last few weeks, there’s been widespread publicity regarding a 0-day security vulnerability in WebP, specifically the libwebp image library, which is widely used. This vulnerability - CVE-2023-4863 – is a heap buffer overflow which can have a serious impact on systems using a vulnerable version of libwebp.
Wagtail sites are vulnerable if they support WebP uploads and use a Pillow version below 10.0.1. This would only be an issue if a user with image addition permissions uploads a malicious WebP image, but we nonetheless recommend all Wagtail site implementers consider upgrading their website to a recent patch release of Wagtail, and to Pillow 10.0.1 or above.
WebP upload support is on by default in Wagtail – to check whether your site has a custom configuration, review your site’s WAGTAILIMAGES_EXTENSIONS Django setting.
The following Wagtail versions are compatible with Pillow 10.0.1 and up:
- Wagtail 5.1 and all other 5.1 versions
- Wagtail 5.0.4 and up
- Wagtail 4.1.8 and up
For sites that can’t be upgraded, we recommend using the WAGTAILIMAGES_EXTENSIONS setting to only allow uploads in other formats.
We take the security of Wagtail, and related packages we maintain, seriously. Please follow our security policy when reporting issues, and refer to our support channels for any other queries.