Pillow
General Information
| Field | Value |
|---|---|
| Package Name | Pillow (PIL Fork) |
| Manufacturer / Vendor | Python Pillow Team (Jeffrey A. Clark and contributors) |
| Software Category | Library |
| Primary Documentation | Documentation, GitHub, PyPI |
| Programming Language(s) | Python, C |
| License | MIT-CMU (HPND) |
| Deployed Version(s) | >=12.0.0 |
| Most Recent Available Version | 12.1.0 |
| Last Review Date | 2026-01-26 |
Overview
Pillow is the friendly fork of the Python Imaging Library (PIL), providing extensive file format support, an efficient internal representation, and powerful image processing capabilities. It is the de facto standard library for image manipulation in the Python ecosystem.
Within the medical device software, Pillow serves as the foundational image processing layer in the computer vision infrastructure. It is integrated into the legithp-expert framework, where it handles critical image operations across all AI expert services (60+ microservices for clinical sign classification and segmentation). Specifically, Pillow is used for:
- Image decoding and encoding: Converting between Base64-encoded image data and internal pixel representations via the
Base64ImageCodecadapter - Color space normalization: Ensuring all input images are converted to sRGB color space for consistent model inference, supporting multiple source color spaces (CMYK, LAB, grayscale, palette-based, and ICC-profiled images)
- ICC profile management: Using the
ImageCmsmodule to accurately convert images with embedded ICC color profiles to the device's standardized sRGB working space - Domain entity support: Providing bidirectional conversion between the domain
Imageentity and PIL's nativeImagetype
The library was selected for its industry-standard status, comprehensive format support, robust color management capabilities via Little CMS integration, permissive licensing compatible with commercial medical device software, and active long-term maintenance by the Python community.
Functional Requirements
The following functional capabilities of this SOUP are relied upon by the medical device software.
| Requirement ID | Description | Source / Reference |
|---|---|---|
| FR-001 | Open and decode images from binary data streams (JPEG, PNG, and other formats) | Image.open() method |
| FR-002 | Convert between NumPy arrays and PIL Image objects | Image.fromarray(), numpy.array() |
| FR-003 | Save images to binary streams in specified formats (JPEG, PNG) | Image.save() method |
| FR-004 | Convert images between color modes (RGB, RGBA, CMYK, LAB, L, P) | Image.convert() method |
| FR-005 | Extract and read embedded ICC color profiles from images | Image.info["icc_profile"] |
| FR-006 | Perform ICC profile-based color space transformations to sRGB | ImageCms.profileToProfile() |
| FR-007 | Create sRGB color profile for color management operations | ImageCms.createProfile("sRGB") |
| FR-008 | Read EXIF metadata for color space validation | Image.getexif() method |
| FR-009 | Composite RGBA images against backgrounds (alpha channel removal) | Image.paste() with mask |
| FR-010 | Create new images with specified mode, size, and fill color | Image.new() method |
Performance Requirements
The following performance expectations are relevant to the medical device software.
| Requirement ID | Description | Acceptance Criteria |
|---|---|---|
| PR-001 | Image decoding shall complete within acceptable API latency bounds | Decoding completes within the overall request timeout |
| PR-002 | Memory usage shall scale linearly with image dimensions | No memory leaks during repeated encode/decode operations |
| PR-003 | ICC profile transformations shall not introduce visible color artifacts | Perceptual rendering intent maintains visual fidelity |
Hardware Requirements
The following hardware dependencies or constraints are imposed by this SOUP component.
| Requirement ID | Description | Notes / Limitations |
|---|---|---|
| HR-001 | Sufficient system memory for image pixel data | Memory requirements scale with image resolution (width × height × channels) |
| HR-002 | x86-64 or ARM64 processor architecture | Pre-built wheels available for common platforms |
Software Requirements
The following software dependencies and environmental assumptions are required by this SOUP component.
| Requirement ID | Description | Dependency / Version Constraints |
|---|---|---|
| SR-001 | Python runtime environment | Python >=3.10 |
| SR-002 | Little CMS library for ICC profile support | Bundled with Pillow (liblcms2) |
| SR-003 | libjpeg for JPEG format support | Bundled or system library |
| SR-004 | zlib for PNG compression support | Bundled or system library |
| SR-005 | NumPy for array interoperability (used by device) | Compatible NumPy version |
Known Anomalies Assessment
This section evaluates publicly reported issues, defects, or security vulnerabilities associated with this SOUP component and their relevance to the medical device software.
| Anomaly Reference | Status | Applicable | Rationale | Reviewed At |
|---|---|---|---|---|
| CVE-2025-48379 (DDS heap buffer overflow) | Fixed | No | Affects DDS format writing with untrusted data; the device does not save images in DDS format | 2026-01-26 |
| CVE-2023-50447 (ImageMath.eval RCE) | Fixed | No | The device does not use PIL.ImageMath.eval() function; fixed in Pillow 10.2.0, device uses >=12.0.0 | 2026-01-26 |
| CVE-2023-5129 (WebP heap overflow) | Fixed | No | Fixed in Pillow 10.0.1; device uses >=12.0.0 which includes the fix | 2026-01-26 |
Pillow has demonstrated responsible security practices with prompt patching of reported vulnerabilities. The project maintains an active release cadence with regular security updates. According to Snyk's vulnerability database, historical vulnerabilities have been addressed in subsequent releases, and the deployed version (>=12.0.0) includes fixes for all known critical and high-severity issues.
The device's usage pattern minimizes attack surface exposure:
- Input validation: All image data is received through authenticated API endpoints and decoded within controlled memory bounds
- Limited format exposure: The device primarily processes JPEG and PNG formats for dermatological images; exotic formats with historical vulnerabilities (WebP, DDS, TGA, EPS) are not part of the expected workflow
- No dynamic code execution: The device does not use
ImageMath.eval()or other features that could enable code execution via crafted inputs - Color management isolation: ICC profile processing uses embedded profiles from medical images captured by controlled devices, not arbitrary external profiles
Risk Control Measures
The following risk control measures are implemented to mitigate potential security and operational risks associated with this SOUP component:
- Input validation at API boundaries ensures all image data is validated before processing
- Processing is limited to expected image formats (JPEG, PNG)
- Version constraints in requirements include all known security fixes
- Image processing is isolated from external code execution paths
- No dynamic code execution features (ImageMath.eval) are used
Assessment Methodology
The following methodology was used to identify and assess known anomalies:
- Sources consulted: National Vulnerability Database (NVD), CVE Details for Pillow, Snyk vulnerability database, GitHub Security Advisories, and the Pillow GitHub repository issue tracker
- Criteria for determining applicability: Vulnerabilities were assessed based on whether the affected functionality (specific image formats, processing functions) is used by the device, whether the input vectors are reachable through the device's API, and whether the deployed version includes applicable fixes
Signature meaning
The signatures for the approval process of this document can be found in the verified commits at the repository for the QMS. As a reference, the team members who are expected to participate in this document and their roles in the approval process, as defined in Annex I Responsibility Matrix of the GP-001, are:
- Author: Team members involved
- Reviewer: JD-003, JD-004
- Approver: JD-001