Wagtail sites with WebP support and Pillow < 10.0.1 are vulnerable when users upload a malicious image.
In the last few weeks, there’s been widespread publicity regarding a 0-day security vulnerability in WebP, specifically the libwebp image library, which is widely used. This vulnerability - CVE-2023-4863 – is a heap buffer overflow which can have a serious impact on systems using a vulnerable version of libwebp.
Wagtail sites are vulnerable if they support WebP uploads and use a Pillow version below 10.0.1. This would only be an issue if a user with image addition permissions uploads a malicious WebP image, but we nonetheless recommend all Wagtail site implementers consider upgrading their website to a recent patch release of Wagtail, and to Pillow 10.0.1 or above.
WebP upload support is on by default in Wagtail – to check whether your site has a custom configuration, review your site’s WAGTAILIMAGES_EXTENSIONS Django setting.
The following Wagtail versions are compatible with Pillow 10.0.1 and up:
For sites that can’t be upgraded, we recommend using the WAGTAILIMAGES_EXTENSIONS setting to only allow uploads in other formats.