8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-4863

GHSA ID

GHSA-j7hp-h8jx-5ppr

EPSS Score

0.99877%

CWE

CWE-787

Published

9/12/2023

Updated

1/8/2024

KEV Status

Yes

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-4863

CVE-2023-4863: libwebp: OOB write in BuildHuffmanTable

Heap buffer overflow in libwebp allow a remote attacker to perform an out of bounds memory write via a crafted HTML page.

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-4863

GHSA ID

GHSA-j7hp-h8jx-5ppr

EPSS Score

0.99877%

CWE

CWE-787

Published

9/12/2023

Updated

1/8/2024

KEV Status

Yes

Technology

Rust

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
libwebp-sys2	rust	< 0.1.8	0.1.8
libwebp-sys	rust	< 0.9.3	0.9.3
electron	npm	>= 22.0.0, < 22.3.24	22.3.24
electron	npm	>= 24.0.0, < 24.8.3	24.8.3
electron	npm	>= 25.0.0, < 25.8.1	25.8.1
electron	npm	>= 26.0.0, < 26.2.1	26.2.1
electron	npm	>= 27.0.0-beta.1, < 27.0.0-beta.2	27.0.0-beta.2
SkiaSharp	nuget	>= 2.0.0, < 2.88.6	2.88.6
github.com/chai2010/webp	go	>= 1.0.0
Pillow	pip	< 10.0.1	10.0.1
webp	rust	< 0.2.6	0.2.6
magick.net-q16-anycpu	nuget	< 13.3.0	13.3.0
magick.net-q16-hdri-anycpu	nuget	< 13.3.0	13.3.0
magick.net-q16-x64	nuget	< 13.3.0	13.3.0
magick.net-q8-anycpu	nuget	< 13.3.0	13.3.0
magick.net-q8-openmp-x64	nuget	< 13.3.0	13.3.0
magick.net-q8-x64	nuget	< 13.3.0	13.3.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The GitHub commit 902bc91 explicitly shows fixes in BuildHuffmanTable related to Huffman table size validation and memory allocation. Multiple vendor advisories (Chromium, Mozilla, Pillow) reference libwebp's BuildHuffmanTable as the root cause. The CVE description specifically mentions the overflow occurs during Huffman table construction. The vulnerability manifests when processing malicious WebP images that trigger invalid Huffman table allocations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

***p *u***r ov*r*low in li*w**p *llow * r*mot* *tt**k*r to p*r*orm *n out o* *oun*s m*mory writ* vi* * *r**t** *TML p***.

Reasoning

T** *it*u* *ommit ******* *xpli*itly s*ows *ix*s in *uil**u**m*nT**l* r*l*t** to *u**m*n t**l* siz* v*li**tion *n* m*mory *llo**tion. Multipl* v*n*or **visori*s (**romium, Mozill*, Pillow) r***r*n** li*w**p's *uil**u**m*nT**l* *s t** root **us*. T**

8.8

Basic Information

Concerned about an active attack path?

CVE-2023-4863: libwebp: OOB write in BuildHuffmanTable

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI