Unpacking The WEBP Vulnerability

Unpacking The WEBP Vulnerability

In the ever-evolving landscape of cybersecurity, it’s crucial to stay informed about the latest vulnerabilities that can affect our digital lives. Today, we’ll dive into CVE-2023-5129, a security flaw that has made waves in the world of web browsers, specifically affecting Google’s Chromium project. This vulnerability exploits the handling of specially crafted WebP lossless files in libwebp, leading to data being written out of bounds to the heap. Google have quietly upgraded the original CVE-2023-4863, which was described as a Google Chrome issue to CVE-2023-5129, which is an issue with the libwep library. The wide usage of the libwep library means that the impact is far greater.

Understanding the Vulnerability:

CVE-2023-5129 is a classic example of how an innocent-looking image format like WebP can become a weapon in the hands of malicious actors. At its core, libwebp is an open-source library developed by Google for encoding and decoding WebP images. WebP is known for its efficiency in compressing images while maintaining quality, making it a popular choice for web and application developers.

The heart of the issue lies in the ReadHuffmanCodes() function within libwebp. When handling WebP images, libwebp allocates memory for a HuffmanCode buffer based on a predefined array called kTableSize. The size chosen depends on the value of color_cache_bits, which, when manipulated, triggers the vulnerability.

Here’s the catch: the kTableSize array is designed to account for 8-bit first-level table lookups but not second-level table lookups. This means that while libwebp can handle codes of up to 15 bits in length (MAX_ALLOWED_CODE_LENGTH), the second-level tables may not be adequately sized to accommodate them.

Exploiting the Vulnerability:

To exploit CVE-2023-5129, an attacker crafts a specially designed WebP file that tricks libwebp into attempting to fill the second-level tables with data that exceeds their allocated bounds. This is where the out-of-bounds (OOB) write occurs, leading to potential heap corruption.

The vulnerable code path in question is known as ReplicateValue, and it’s a crucial piece of the puzzle for attackers. By carefully manipulating the input data, they can trigger this code path and gain unauthorized access to the system’s memory.

Impact and Mitigation:

The consequences of a successful exploitation of this vulnerability can be severe. Attackers can potentially execute arbitrary code, crash the application, or even gain control over the affected system. Therefore, it’s essential to stay vigilant and take prompt action to mitigate this risk.

Google’s libwebp maintainers have likely addressed this issue with a security patch. Users are strongly advised to keep their web browsers and associated libraries up to date. Regularly applying security updates is one of the most effective ways to protect against such vulnerabilities although at the time of writing, Microsoft Teams is a widespread example of an application which has not yet been patched.


CVE-2023-5129 serves as a stark reminder of the evolving nature of cybersecurity threats. Even seemingly harmless image formats can become vectors for exploitation when handled improperly. Staying informed about such vulnerabilities and promptly applying patches is crucial for maintaining the security of our digital world. As we continue to rely on the web for various aspects of our lives, cybersecurity remains a top priority.

If you would like help with navigating and mitigating issues like this. Contact Be Secure Cyber for a no obligation chat.


NVD – CVE-2023-4863 (nist.gov) , NVD – CVE-2023-5129 (nist.gov)

Google assigns new maximum rated CVE to libwebp bug exploited in attacks (bleepingcomputer.com) ,

Google quietly corrects previously submitted disclosure for critical webp 0-day | Ars Technica

(We take no responsibility for the content of external links.)