GIMP API Regarding

Hi Team,

Can you please provide answers and evidences for the below API questions:

a) can the APIs be invoked via TLS only?

b) do APIs implement authentication & authorization via standard protocols (e.g. OAuth) and via standard components registered in CTC as ‘recommended’?

c) do APIs provide error messages in a standard, machine processable format?

d) are HTTP verbs not required by the API disallowed?

e) are API users integrated into the authentication framework of the solution just like regular users?

f) if the solution has a user database of its own, is the user management functionality available via APIs?

What APIs exactly are you referring to? Please try to be specific.

This looks like a question about web services, and Gimp isn’t a web application…

Can we have a email id for more info

Does this application have any API funtionality

The appllication API is meant to be used by plugins and scripts that are added to the application and called by it.

Hi Team,
We are referring to the below link for the API

Could you please give us the details for the below questions.


It’s not a web API. It’s the API for the GIMP libraries that developers use to write GIMP plug-ins.

Does This product use directly this API function?

Some of the functionality in the delivered application is implemented as plugins and scripts so yes, the product uses its own API.

What the solution uses or/and the plugins use

Maybe if you tell us why you are asking these question we could make a more sensible answer. Right now it looks like you are asking a vegan restaurant how they store their meat.

1 Like

As we are going for the Internal review for the product, we need some details for that

Is this Application Use API

My guess is that you are mixing several concepts of “API”. The “API” you linked (in the developer website) is a common application library. You compile plug-ins against this library and it calls the main application. That’s all. It’s all happening offline on your system, there are no remote calls, no TLS, no HTTP, no user authentication, nothing of the stuff you asked about…

Whereas when we look at your initial questions, I am guessing the question your internal review is trying to get an answer for is: does this software access some service online? And the answer to this is: no. GIMP is a desktop software. It doesn’t need internet and doesn’t need to run any HTTP/HTTPS query for normal usage.

The only HTTP query which GIMP might run are a read-only check (max once a week, no authentication, no data gathered) for new versions, which can be disabled in Preferences. Or again if you use the online user manual, then of course it needs to load the page (but I would hardly call this “API” call in the meaning normally used by web applications). See our Privacy Policy which gives our stance on gathering data and the like (as I guess it might be the real issue behind internal reviews).

Similarly your questions mention “API users”, “authentication framework” or “user database”; there is no such thing here. GIMP is a very old-school desktop application. No internet is needed for it to work properly and none of its features require any HTTP(S) calls.


We foun that GIMP contains a buffer overflow vulnerability. An attacker could exploit this issue by passing a crafted file to the application, which would result in an application crash. Is there any solution for this?

The solution is to fix the bug. Or what other solution are you looking for? On Linux you have various options for running GIMP in a sandbox environment, like use the Flathub package, so it is better isolated from the OS. I don’t know for other OSes.

You can report bugs to GIMP. Or if you can fix it yourself submit a patch to GIMP with the fix

1 Like

We found this bug on Windows Platform 10

Do you have a link to the bug report? Without that, it is impossible to answer you.

Okay Thanks for making it clear!
Is there any idea of when the next version of GIMP is going to be release or when can we expect the newer version release