The package pillow from 0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. https://nvd.nist.gov/vuln/detail/CVE-2021-23437