A critical security flaw, CVE-2023-5129, in the libwebp image library has been identified by Google, receiving the maximum CVSS score of 10.0. Initially thought to impact only Google Chrome, the vulnerability was later found to affect any application using the libwebp library for processing WebP images.
Furthermore, this flaw, actively exploited in the wild, is located in the ReadHuffmanCodes() function and can result in a heap buffer overflow, enabling attackers to execute arbitrary code using specially crafted WebP lossless files. Notably, this vulnerability has been used in deploying surveillance spyware and was previously tracked under different CVEs.
In early September, Citizen Lab reported that Apple had fixed actively exploited zero-day flaws, CVE-2023-41064 and CVE-2023-41061, which were leveraged to infect devices with NSO Group’s Pegasus spyware.
Additionally, these vulnerabilities were used as part of a zero-click exploit called BLASTPASS, targeting iPhones running the latest iOS version. Rezilion researchers have expanded the scope of the libwebp vulnerability, identifying it in numerous popular container images’ latest versions, including Nginx, Python, Joomla, WordPress, Node.js, and more. This widespread adoption of the libwebp package for WebP codec functionality presents a significant challenge in identifying vulnerable systems, potentially affecting millions of applications worldwide.
The efficiency of the libwebp package, outperforming JPEG and PNG in terms of size and speed, has led to its extensive adoption. This prevalence extends the attack surface significantly, raising concerns for both users and organizations. The libwebp vulnerability initially seemed to target Chromium-based applications but, as discovered later, possesses the potential to impact a broader range of software and applications that rely on this package, creating a complex security challenge.
