Miggo Logo
Miggo Vulnerability Database
CVE-2023-5217

CVE-2023-5217:
Electron affected by libvpx's heap buffer overflow in vp8 encoding

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-5217
GHSA ID
GHSA-qqvq-6xgj-jw8g
EPSS Score
0.82987%
CWE
CWE-787
Published
9/28/2023
Updated
2/15/2024
KEV Status
Yes
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
electronnpm< 22.3.2522.3.25
electronnpm>= 24.0.0, < 24.8.524.8.5
electronnpm>= 25.0.0, < 25.8.425.8.4
electronnpm>= 26.0.0, < 26.2.426.2.4
electronnpm>= 27.0.0-alpha.1, < 27.0.0-beta.827.0.0-beta.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The CVE-2023-5217 fix in libvpx commit 3fbd1dca6a4d2dad332a2110d646e4ffef36d590 specifically modifies vp8_change_config() to prevent thread count changes after encoder creation. Electron's patches incorporate this fix. The vulnerability occurs when reconfiguring thread counts post-initialization, causing heap corruption due to pre-allocated resources. The function's lack of thread change validation before the patch directly matches the described heap buffer overflow scenario.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

***p *u***r ov*r*low in vp* *n*o*in* in li*vpx in *oo*l* **rom* prior to ***.*.****.*** *n* li*vpx *.**.* *llow** * r*mot* *tt**k*r to pot*nti*lly *xploit ***p *orruption vi* * *r**t** *TML p***.

Reasoning

T** *V*-****-**** *ix in li*vpx *ommit **************************************** sp**i*i**lly mo*i*i*s vp*_***n**_*on*i*() to pr*v*nt t*r*** *ount ***n**s **t*r *n*o**r *r**tion. *l**tron's p*t***s in*orpor*t* t*is *ix. T** vuln*r**ility o**urs w**n r