Breaking News: The Shai-Hulud npm Malware Returns With 320+ Affected Packages
Read the Latest Research

What You Need to Know About the libwebp Exploit

Yael Citro
September 28, 2023
3 mins read
Share
CVE-2023-5129 libwebp critical zero-day heap buffer overflow vulnerability security alert banner highlighting Chrome, Electron, and WebP image processing library exploit with CVSS 10.0 severity

libwebp exploit timeline
CVE-2023-41064; CVE-2023-4863; CVE-2023-5129

CVSS 3.x severity scoring visualization showing CVE-2023-5129 libwebp vulnerability rated 10.0 Critical with attack vector network, low complexity, no privileges required, and complete confidentiality integrity availability impact
  • A zero-click exploit means that a user is not required to click anything or take any action to trigger the exploit. Simply viewing a maliciously crafted WebP image is enough to be infected.
  • Citizen Lab researchers together with Apple’s Security Engineering & Architecture promptly disclosed the exploit to Google due to the potential damage to Google Chrome users.
  • On or around September 12 2023, Google reported the vulnerability to NVD as a Chrome vulnerability with a different id – CVE-2023-4863
Critical severity level classification indicator for CVE-2023-5129 libwebp vulnerability featuring detailed CVSS v3.1 score breakdown with exploitability subscores and impact metrics visualization
  • On September 25, 2023 Google understood that the potential impact went beyond Chromium and submitted another CVE with the id  CVE-2023-5129, giving it the maximum CVSS score of 10.0. The scope was not limited to a specific software product or framework, rather it applied to the libwebp library which is used by nearly all modern operating systems. NVD marked this CVE as a duplicate of CVE--2023-4863.

CVE-2023-5129 detailed vulnerability report displaying heap buffer overflow in WebP image decoding library (libwebp) affecting Chrome browsers, Electron applications, and image processing systems

What is libwebp?

Libwebp is a popular library used to render webp images. This library is part of almost all modern operating systems and software platforms, including Apple iOS and Chromium based products like Google Chrome browser, Electron Software Framework, Debian (Ubuntu, Alpine), CentOS, Gentoo, SUSE and MacOS.

And products like Google Chrome browser and the Electron Software Framework are used in some of the most popular applications including Slack,1Password, Visual Studio Code, Discord and Microsoft Edge. You can see a more complete list of applications using Chromium  and applications using Electron by clicking on these links.  

How to detect libwebp with OX Security

The libwebp vulnerability can be found in code, but it is most commonly detected in operating systems. This makes it particularly difficult to detect because it requires security teams to scan all operating systems in use, including container base images. Traditional scanners typically do not scan the latter. 

For OX Security users, scanning Dockerfile definitions and container images happens automatically.

OX Security Application Security Posture Management platform dashboard detecting CVE-2023-5129 libwebp vulnerability across multiple repositories with real-time affected application inventory and dependency mapping

What you should do now

Step 1: Test your applications with OX Security. Sign up for a free OX Security account.  

OX Security automates the rest. Our solution: 

  • Scans all your applications from cloud to code.
OX Security unified application security dashboard overview displaying vulnerability metrics, risk scoring, compliance status, code security findings, and software supply chain threat intelligence
  • Detects direct uses of libwebp, as well as the more difficult challenge of identifying libraries, frameworks and base images that contain libwebp.
Comprehensive inventory of applications and services using vulnerable libwebp library including Chrome browsers, Chromium-based apps, Electron frameworks, image processing tools, and web services requiring immediate patching
  • Figures out the safe versions you should be using. 
Safe libwebp version numbers and patched releases (1.3.2+) resolving CVE-2023-5129 heap buffer overflow vulnerability with upgrade path recommendations and backward compatibility notes
  • Prioritizes risks where libwebp is exposed in production and deprioritizes risks where libwebp is not deployed or used.
ox prioritization 1 ox priortization 2
  • Triggers your organization’s response plan. 
Multi-stage incident response workflow for CVE-2023-5129 libwebp vulnerability remediation including identification phase, risk assessment, patch prioritization, deployment strategy, and verification testing

OX Security will continue to monitor this situation and continue to provide updates as events unfold. Make sure you  follow us on Linkedin and check back on the OX Security Blog for any developments as they occur. If you have any questions please feel free to send an email out to one of our product specialists at support@ox.security.

Tags:

post banner image

Run Every Security Test Your Code Needs

Pinpoint, investigate and eliminate code-level issues across the entire SDLC.

GET A PERSONALIZED DEMO

Related Content

Frame 2085668530

Subscribe to Our Newsletter

Stay updated with the latest SaaS insights, tips, and news delivered straight to your inbox.

Security Starts at the Source