WebP 0-Day CVE-2023-5129 

A zero-day vulnerability (CVE-2023-5129) in the WebP image library is being actively exploited, putting major browsers and scores of additional apps at risk. 

What's happening? 

On Wednesday, Google issued a vulnerability tagged as CVE-2023-5129 and gave it a base score of 10.0. That's as bad as it gets, and underscores the threat and seriousness of the flaw. 

What is CVE-2023-5129? 

CVE-2023-5129 is a heap buffer overflow flaw in the WebP image format. In particular, in the way it provides lossless compression for images on the web (using WebP allows web developers to create smaller images that still look great, making browsing faster). We won't get into the nitty-gritty details here, but you can find more info on heap buffer overflow flaws in general online. 

Of note: this vulnerability was originally tracked as CVE-2023-4863, and attributed only to Chrome. The new CVE was issued to clarify that the flaw actually applies to a much more expansive number of apps (partial list below). 

How bad is CVE-2023-5129? 

Unfortunately, very (hence the 10.0 CVSS). For three different reasons: 

The impact is extremely broad: The vulnerability affects any software that utilizes the WebP codec. That includes major browsers like Chrome, Firefox, Safari, and Edge, but, as mentioned, also a host of additional apps (partial list below). 

The impact of exploitation is extremely serious: Successful exploitation could potentially result in attackers taking control of a system, executing arbitrary code, and accessing sensitive user data. 

Attackers are already actively exploiting it: Earlier this month (September 11), Google acknowledged that CVE-2023-4863 was being exploited in the wild. In addition, the flaw has been linked to Citizen Lab's September 7 "BLASTPASS" report disclosing a zero-click, zero-day iPhone exploit captured in the wild. 

What apps are affected by CVE-2023-5129? 

Numerous apps employ WebP image handling via libwebp. Since the codec is built into Android, all native browser apps on Android devices are affected." 

But the list expands from there. According to a list compiled on Wikipedia, the following applications use WebP codec: 

• 1Password 
• balenaEtcher 
• Basecamp 3 
• Beaker (web browser) 
• Bitwarden 

• CrashPlan 
• Cryptocat (discontinued) 
• Discord 
• Eclipse Theia 
• FreeTube 

• GitHub Desktop 
• GitKraken 
• Joplin 
• Keybase 
• Lbry 

• Light Table 
• Logitech Options + 
• LosslessCut 
• Mattermost 
• Microsoft Teams 

• MongoDB Compass 
• Mullvad 
• Notion 
• Obsidian 
• QQ (for macOS) 

• Quasar Framework 
• Shift 
• Signal 
• Skype 
• Slack 

• Symphony Chat 
• Tabby 
• Termius 
• TIDAL 
• Twitch 

• Visual Studio Code 
• WebTorrent 
• Wire 
• Yammer 

What apps have patches for CVE-2023-5129 available? 

Cyberkendra.com is also compiling a helpful list of vendors that have pushed patches for this vulnerability, and will be actively updating it: 

• Google Chrome –  Mac and Linux 116.0.5845.187 and Windows 116.0.5845.187/.188. 
• Mozilla – Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2 
• Brave Browser – version 1.57.64 (Chromium: 116.0.5845.188) [Android, iOS, Linux & Mac]. 

• Microsoft Edge – versions 109.0.1518.140, 116.0.1938.81, and 117.0.2045.31. 
• Tor Browser – version 12.5.4. 
• Opera – version 102.0.4880.46. 
• Vivaldi – version 6.2.3105.47. 
• 1Password — version 8.10.15 

• Bitwarden 
• LibreOffice 
• Suse 
• Ubuntu 
• LosslessCut 

• NixOS -  Nix package manager