5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-32036

GHSA ID

GHSA-5x7m-6737-26cr

EPSS Score

0.53072%

CWE

CWE-212

Published

4/15/2024

Updated

1/9/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-32036

CVE-2024-32036: SixLabors.ImageSharp vulnerable to data leakage

Impact

A data leakage flaw was found in ImageSharp's JPEG and TGA decoders. This vulnerability is triggered when an attacker passes a specially crafted JPEG or TGA image file to a software using ImageSharp, potentially disclosing sensitive information from other parts of the software in the resulting image buffer.

Patches

The problem has been patched. All users are advised to upgrade to v3.1.4 or v2.1.8.

Workarounds

None

References

None

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-32036

GHSA ID

GHSA-5x7m-6737-26cr

EPSS Score

0.53072%

CWE

CWE-212

Published

4/15/2024

Updated

1/9/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
SixLabors.ImageSharp	nuget	< 2.1.8	2.1.8
SixLabors.ImageSharp	nuget	>= 3.0.0, < 3.1.4	3.1.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from uninitialized pixel buffers in JPEG/TGA decoders. The patches explicitly add AllocationOptions.Clean (JPEG) and replace CreateUninitialized with a constructor that initializes buffers (TGA). These changes directly address CWE-212 and CWE-226 by ensuring buffers are cleared before reuse. The affected functions are clearly identified in the commit diffs as the pre-patch buffer allocation points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * **t* l**k*** *l*w w*s *oun* in Im***S**rp's JP** *n* T** ***o**rs. T*is vuln*r**ility is tri***r** w**n *n *tt**k*r p*ss*s * sp**i*lly *r**t** JP** or T** im*** *il* to * so*tw*r* usin* Im***S**rp, pot*nti*lly *is*losin* s*nsitiv* in*orm

Reasoning

T** vuln*r**ility st*ms *rom uniniti*liz** pix*l *u***rs in JP**/T** ***o**rs. T** p*t***s *xpli*itly *** `*llo**tionOptions.*l**n` (JP**) *n* r*pl*** `*r**t*Uniniti*liz**` wit* * *onstru*tor t**t initi*liz*s *u***rs (T**). T**s* ***n**s *ir**tly ***

5.3

Basic Information

Concerned about an active attack path?

CVE-2024-32036: SixLabors.ImageSharp vulnerable to data leakage

Impact

Patches

Workarounds

References

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI