Critical Zero-Day Vulnerability in ‘libwebp’: CVE-2023-4863 Reassigned as CVE-2023-5129


For your information.

Best regards,

From Socradar :

Google has issued a new CVE identifier for a critical zero-day vulnerability that is under active exploitation. The vulnerability, labeled CVE-2023-5129, was initially misidentified as a Chrome vulnerability (CVE-2023-4863). However, it has been revealed that the vulnerability affects the libwebp image library used for rendering images in WebP format , specifically stemming from the Huffman coding algorithm.

Chrome was critical as it’s on everyones system and navigating to a url caused the exploit. For say a hosted app that leverages this library, I’m assuming that a malicious file would have to be uploaded (POST) with a webp extention. Still exploitable, but requires targeted actions.
We typically only allow a handful of image files. Webp and SVG are not on the allow list.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.