⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.

CVE-2023-5129Improper Input Validation in External Webp

CWE-20Improper Input ValidationCWE-122Heap-based Buffer Overflow25 documents11 sources
Severity
8.8HIGHGHSA
No vector
EPSS
No EPSS data
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
5
Platform External WebpGithub.com Chai2010 WebpPython Pillow+2 more
Timeline
PublishedSep 25
Latest updateJan 16

Description

With a specially crafted WebP lossless file, libwebp may write data out of bounds to the heap. The ReadHuffmanCodes() function allocates the HuffmanCode buffer with a size that comes from an array of precomputed sizes: kTableSize. The color_cache_bits value defines which size to use. The kTableSize array only takes into account sizes for 8-bit first-level table lookups but not second-level table lookups. libwebp allows codes that are up to 15-bit (MAX_ALLOWED_CODE_LENGTH). When BuildHuffmanTab

Affected Packages5 packages

Androidplatform/external_webp14-next:014-next:2023-10-06+4
Gogithub.com/chai2010_webp1.1.21.4.0+2
PyPIpython/pillow< 10.0.1
npmelectron/electron22.0.022.3.24+4

🔴Vulnerability Details

10
OSV
Duplicate Advisory: Bundled libwebp in Pillow vulnerable2023-10-05
GHSA
Bundled libwebp in imagecodecs vulnerable2023-10-05
GHSA
Duplicate Advisory: Bundled libwebp in Pillow vulnerable2023-10-05
OSV
Bundled libwebp in imagecodecs vulnerable2023-10-05
OSV
CVE-2023-4863: In BuildHuffmanTable of huffman_utils2023-10-01

📋Vendor Advisories

3
Red Hat
libwebp: out-of-bounds write with a specially crafted WebP lossless file2023-09-25
Mozilla
Mozilla Foundation Security Advisory 2023-40: CVE-2023-5129
Apache
Apache guacamole: CVE-2023-5129

🕵️Threat Intelligence

12
Wiz
Crying out Cloud – Our Favorite Stories of 2023 | Wiz Blog2024-01-16
Wiz
Crying out Cloud – Our Favorite Stories of 2023 | Wiz Blog2024-01-16
Bleepingcomputer
Microsoft Edge, Teams get fixes for zero-days in open-source libraries2023-10-03
Wiz
CVE-2023-4863 and CVE-2023-5217 Exploited in the Wild | Wiz Blog2023-10-01
Wiz
CVE-2023-4863 and CVE-2023-5217 Exploited in the Wild | Wiz Blog2023-10-01
CVE-2023-5129 — Improper Input Validation | cvebase