From 68a14844b52fcdceec1b311bff9a3e014ae7f6b1 Mon Sep 17 00:00:00 2001
From: Tune <67398331+to-curiosity@users.noreply.github.com>
Date: Mon, 16 Feb 2026 23:17:32 -0500
Subject: [PATCH] fix(nomic,openai,perplexity): update pillow version to >=
 12.1.1, <13.0.0 (#35254)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Updates the minimum Pillow version to address CVE-2026-25990 (HIGH
severity out-of-bounds write vulnerability affecting versions 10.3.0
through 12.1.0).

Changes:
langchain-nomic: pillow>=10.3.0,<13.0.0 → pillow>=12.1.1,<13.0.0
langchain-openai: pillow>=10.3.0,<13.0.0 → pillow>=12.1.1,<13.0.0
langchain-perplexity: pillow>=10.3.0,<13.0.0 → pillow>=12.1.1,<13.0.0
Safety: This is a minimum version bump within the existing constraint
range (<13.0.0), so no breaking changes are introduced.

CVE Details:
CVE-2026-25990: An out-of-bounds write may be triggered when loading a
specially crafted PSD image
Affected versions: 10.3.0 to <12.1.1
Fixed in: 12.1.1
Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-25990

** Claude Helped me write this nice message **
The original findings was thanks to a Trivy scan

---------

Co-authored-by: Mason Daugherty <mason@langchain.dev>
---
 libs/partners/nomic/pyproject.toml      | 2 +-
 libs/partners/openai/pyproject.toml     | 2 +-
 libs/partners/perplexity/pyproject.toml | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/libs/partners/nomic/pyproject.toml b/libs/partners/nomic/pyproject.toml
index 83ce8b39ce2..4fed9123653 100644
--- a/libs/partners/nomic/pyproject.toml
+++ b/libs/partners/nomic/pyproject.toml
@@ -24,7 +24,7 @@ requires-python = ">=3.10.0,<4.0.0"
 dependencies = [
     "langchain-core>=1.0.0,<2.0.0",
     "nomic>=3.5.3,<4.0.0",
-    "pillow>=10.3.0,<13.0.0",
+    "pillow>=12.1.1,<13.0.0",
 ]
 
 [project.urls]
diff --git a/libs/partners/openai/pyproject.toml b/libs/partners/openai/pyproject.toml
index 53d48c9ae0e..c6abcec698c 100644
--- a/libs/partners/openai/pyproject.toml
+++ b/libs/partners/openai/pyproject.toml
@@ -61,7 +61,7 @@ lint = ["ruff>=0.13.1,<0.14.0"]
 dev = ["langchain-core"]
 test_integration = [
     "httpx>=0.27.0,<1.0.0",
-    "pillow>=10.3.0,<13.0.0",
+    "pillow>=12.1.1,<13.0.0",
     "numpy>=1.26.4; python_version < '3.13'",
     "numpy>=2.1.0; python_version >= '3.13'",
 ]
diff --git a/libs/partners/perplexity/pyproject.toml b/libs/partners/perplexity/pyproject.toml
index 1abf5ca361c..7b36f840523 100644
--- a/libs/partners/perplexity/pyproject.toml
+++ b/libs/partners/perplexity/pyproject.toml
@@ -56,7 +56,7 @@ lint = ["ruff>=0.13.1,<0.14.0"]
 dev = ["langchain-core"]
 test_integration = [
     "httpx>=0.27.0,<1.0.0",
-    "pillow>=10.3.0,<13.0.0",
+    "pillow>=12.1.1,<13.0.0",
 ]
 typing = [
     "mypy>=1.10.0,<2.0.0",