Google libwebp critical vulnerability impacts massive number of applications - start checking
Take action: Start deeply checking your infrastructure and applications for dependency on libwebp and start patching your applications. Regardless of operating systems, you are vulnerable to this issue. Some applications will be auto-updated, others will require a manual patch. But it's important not to drop the ball on this one, the exploit is too easy and can be executed on so many different applications.
Learn More
The vulnerability in libwebp library was initially reported by Apple and Citizen Lab under CVE-2023-4863 specific to Google Chrome.
As of yesterday the vulnerability in the has been reclassified as CVE-2023-5129 (CVSS3 severity 10) with the highest possible severity rating and it's impact is properly defined to affect ALL applications using the libwebp library.
Update - the CVE-2023-5129 (CVSS3 severity 10) has been rejected as a duplicate of CVE-2023-4863. Please note that the later severity of vulnerability of the libwebp library declared by Google remains at 10
The vulnerability is situated in the lossless compression component of the open-source libwebp library, responsible for encoding and decoding WebP format images. To be precise, it is a heap buffer overflow issue within the Huffman coding algorithm used for lossless compression in WebP.
Exploiting this flaw involves crafting malicious WebP images and luring victims into opening them, allowing attackers to execute arbitrary code and access sensitive user data. This bug affects applications both on computer operating systems and on android. If exploited on Android it could be exploited remotely in apps like Signal and WhatsApp.
The vulnerability was initially perceived as affecting browsers like Chrome, Chromium-based browsers, Mozilla Firefox, Apple Safari, and Microsoft Edge.
With the review of the vulnerability it's clear that a multitude of applications, frameworks and software projects across various platforms utilize WebP image handling via libwebp. Given that the codec is integrated into Android, all native browser apps on Android devices are affected. Entire frameworks like Electron are also impacted.
Here's a non-exhaustive list of applications that are impacted:
- 1Password
- balenaEtcher
- Basecamp 3
- Beaker (web browser)
- Bitwarden
- CrashPlan
- Cryptocat (discontinued)
- Discord
- Eclipse Theia
- FreeTube
- GitHub Desktop
- GitKraken
- Joplin
- Keybase
- Lbry
- Light Table
- Logitech Options +
- LosslessCut
- LibreOffice
- Mattermost
- Microsoft Teams
- MongoDB Compass
- Mullvad
- Notion
- Obsidian
- QQ (for macOS)
- Quasar Framework
- Shift
- Signal
- Skype
- Slack
- Symphony Chat
- Tabby
- Termius
- TIDAL
- Twitch
- Visual Studio Code
- WebTorrent
- Wire
- Yammer
Several vendors have released patches to address this vulnerability. Notably, Google Chrome, Mozilla Firefox, Brave Browser, Microsoft Edge, Tor Browser, Opera, Vivaldi, and Bitwarden have all pushed patches to mitigate this critical issue.
