Bundled libwebp in pywebp vulnerable

Impact

pywebp versions before v0.3.0 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863. The vulnerability was a heap buffer overflow which allowed a remote attacker to perform an out of bounds memory write.

Patches

The problem has been patched upstream in libwebp 1.3.2. pywebp was updated to bundle a patched version of libwebp in v0.3.0.

Workarounds

No known workarounds without upgrading.

References

https://www.rezilion.com/blog/rezilion-researchers-uncover-new-details-on-severity-of-google-chrome-zero-day-vulnerability-cve-2023-4863/
https://nvd.nist.gov/vuln/detail/CVE-2023-4863

Published: Oct 6, 2023
Updated: Oct 7, 2023
GHSA: GHSA-f9pm-4g9p-6vm3
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
webp	-	0.3.0

https://github.com/anibali/pywebp/commit/1f938731a158a6584977cec2cce21b21c15f6c4b
https://github.com/anibali/pywebp/security/advisories/GHSA-f9pm-4g9p-6vm3

Vulnerability Database

289,689

Bundled libwebp in pywebp vulnerable

Impact

Patches

Workarounds

References