Threat Intelligence Alert – Zero-Day in Common WebP Graphics Files – Patch all Browsers Immediately

Zero Day present in WebP graphics formal - patch all browsers asap.
September 27th, 2023: CyberHoot has learned of a critical vulnerability in Googles graphics file format known as WebP.  It leverages the libwebp libraries which are exploitable leading to the machine running arbitrary code or exposing sensitive data to the attacker.


The vulnerability was initially identified by Apple and Citizen Lab as CVE-2023-4863 related to Google Chrome.  However, the issue has been reevaluated and is now labeled as CVE-2023-5129. It has been accurately pinpointed as a defect in libwebp and has been given the highest severity rating of 10/10.

Mistaken Impact Initially Reported

At first, the issue was described only as a high-severity flaw in Google Chrome, tagged as CVE-2023-4863. However, the real scope of the problem extends beyond Chrome: the vulnerability affects any software using the WebP codec via the libwebp library. This includes major browsers like Mozilla Firefox, Apple Safari, and Microsoft Edge, all of which integrate libwebp.  This vulnerability should be treated just like we treated the Log4J vulnerability since Log4j!  It is found in so many other places.

The use of WebP image processing through libwebp is widespread, spanning systems such as Linux, Android, Windows, and macOS. Given that Android has this codec integrated, native browser apps on Android devices are also impacted. The vulnerability’s extent is vast due to the ubiquitous presence of the compromised library.

The initial misidentification of the flaw as exclusive to Chrome obscured its broad consequences. Thankfully, its new label, CVE-2023-5129, correctly pins it as an inherent issue with libwebp. It’s now evident that all apps and platforms using libwebp must urgently release updates for user protection.

While exploiting this vulnerability requires some sophisticated user interaction, it still permits remote code execution. With fixes now accessible, entities relying on WebP must act promptly to update susceptible versions, preventing potential malicious activities.

Technical Details:

With a specially crafted WebP lossless file, libwebp may write data out of bounds to the heap. The ReadHuffmanCodes() function allocates the HuffmanCode buffer with a size that comes from an array of precomputed sizes: kTableSize. The color_cache_bits value defines which size to use. The kTableSize array only takes into account sizes for 8-bit first-level table lookups but not second-level table lookups. libwebp allows codes that are up to 15-bit (MAX_ALLOWED_CODE_LENGTH). When BuildHuffmanTable() attempts to fill the second-level tables it may write data out-of-bounds. The OOB write to the undersized array happens in ReplicateValue.

This data out-of-bounds overwrite is what allows the execution of arbitrary code which is a very bad thing!

Currently Known Applications Impacted by WebP:

According to this Wikipedia page, the following applications make use of libwebP for image processing and could be impacted.  You should check with each of your vendors for a patch to apply starting with your web browsers.

  • 1Password
  • balenaEtcher
  • Basecamp 3
  • Beaker (web browser)
  • Bitwarden
  • CrashPlan
  • Cryptocat (discontinued)
  • Discord
  • Eclipse Theia
  • FreeTube
  • GitHub Desktop
  • GitKraken
  • Joplin
  • Keybase
  • Lbry
  • Light Table
  • Logitech Options +
  • LosslessCut
  • Mattermost
  • Microsoft Teams
  • MongoDB Compass
  • Mullvad
  • Notion
  • Obsidian
  • QQ (for macOS)
  • Quasar Framework
  • Shift
  • Signal
  • Skype
  • Slack
  • Symphony Chat
  • Tabby
  • Termius
  • Twitch
  • Visual Studio Code
  • WebTorrent
  • Wire
  • Yammer
What Should You Do?
As with any embedded software libraries, you need to perform an exhaustive search of your code base and application usage to ascertain where these binaries are being used.
In addition to that you should immediately set out to patching your systems where patches have been released.
Start by patching your Web Browsers which represent the largest exposure to your business.

Patch WebP 0day Now

A list of the vendors that pushed the WebP 0day patched against the vulnerability are –

You have a Vulnerability Alert Management Process, right?

If you’re a subscriber to CyberHoot’s awareness training Partner (Power) platform, you have access to our Policy and Process library which contains the Vulnerability Alert Management Process (VAMP) document. This document prescribes how to respond to situations like this and in what time frame. If your company has not yet adopted a VAMP-like process, now is a great time to get started.

If you’re a vCISO client, we’ve built this process for you and now you must execute according to the prescribed measures and timeframes.  If you’re not a vCISO client or CyberHoot Product subscriber, perhaps you want to sign up here.

Secure your business with CyberHoot Today!!!

Share this on your social networks. Help Friends, Family, and Colleagues become more aware and secure.