Pharos Response to WebP Vulnerability - September 2023
- 05 Apr 2024
- 1 Minute to read
- Print
- DarkLight
- PDF
Pharos Response to WebP Vulnerability - September 2023
- Updated on 05 Apr 2024
- 1 Minute to read
- Print
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
Recently, a security vulnerability was discovered inside the image library WebP:
CVE-2023-4863
The vulnerability is rated as “Critical” because it allows a remote attacker to perform an out of bounds memory write via a crafted HTML page. This impacts Chrome, Chromium browsers, and any applications built on them.
At this time, the NVD has not yet scored this vulnerability, but it is expected to be high.
This vulnerability also impacts Electron (which uses Chrome), a popular tool used to build cross platform applications. Specifically it impacts versions:
>=22.0.0 < 22.3.24
>=24.0.0 < 24.8.3
>=25.0.0 < 25.8.1
>=26.0.0 < 26.2.1
>=27.0.0-beta.1 < 27.0.0-beta.2
A webpage providing an overview of Chrome and WebP impacts can be found here: https://security.snyk.io/vuln/SNYK-JS-ELECTRON-5892810
Many organizations, including Pharos customers, are urgently investigating where this tool is used and how to update/repair those instances.
Pharos Software and Electron/WebP
Pharos has reviewed all our software, 3rd party tools/libraries, and internal infrastructure. Pharos does use Electron, but we DO NOT use any of the impacted versions.
Pharos is continuing to monitor this situation.
Was this article helpful?