Google has issued a new CVE identifier for a critical zero-day vulnerability that is under active exploitation. The vulnerability, labeled CVE-2023-5129, was initially misidentified as a Chrome vulnerability (CVE-2023-4863). However, it has been revealed that the vulnerability affects the libwebp image library used for rendering images in WebP format , specifically stemming from the Huffman coding algorithm.
Chrome was critical as it’s on everyones system and navigating to a url caused the exploit. For say a hosted app that leverages this library, I’m assuming that a malicious file would have to be uploaded (POST) with a webp extention. Still exploitable, but requires targeted actions.
We typically only allow a handful of image files. Webp and SVG are not on the allow list.