5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-41132

GHSA ID

GHSA-qxrv-gp6x-rc23

EPSS Score

0.78772%

CWE

CWE-770

Published

7/22/2024

Updated

9/11/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-41132

CVE-2024-41132: SixLabors ImageSharp has Excessive Memory Allocation in Gif Decoder

Impact

What kind of vulnerability is it? Who is impacted?

A vulnerability discovered in the ImageSharp library, where the processing of specially crafted files can lead to excessive memory usage in the Gif decoder. The vulnerability is triggered when ImageSharp attempts to process image files that are designed to exploit this flaw.

Patches

Has the problem been patched? What versions should users upgrade to?

The problem has been patched. All users are advised to upgrade to v3.1.5 or v2.1.9.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Before calling Image.Decode(Async), use Image.Identify to determine the image dimensions in order to enforce a limit.

References

Are there any links users can visit to find out more?

https://github.com/SixLabors/ImageSharp/pull/2759
https://github.com/SixLabors/ImageSharp/pull/2764
https://github.com/SixLabors/ImageSharp/pull/2770
ImageSharp: Security Considerations
ImageSharp.Web: Securing Processing Commands

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-41132

GHSA ID

GHSA-qxrv-gp6x-rc23

EPSS Score

0.78772%

CWE

CWE-770

Published

7/22/2024

Updated

9/11/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
SixLabors.ImageSharp	nuget	< 2.1.9	2.1.9
SixLabors.ImageSharp	nuget	>= 3.0.0, < 3.1.5	3.1.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how the GIF decoder handled LZW-compressed image data. The original implementation in GifDecoderCore.cs allocated a full Buffer2D<byte> for all pixel indices (width*height) before decoding, while LzwDecoder.cs's DecodePixels method processed the entire image in one pass. This allowed attackers to specify malicious dimensions leading to excessive allocations. The patches replaced this with row-by-row decoding (DecodePixelRow) using temporary buffers, significantly reducing peak memory usage. The CWEs (770/789) directly map to these unthrottled allocations based on unvalidated input values.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t _W**t kin* o* vuln*r**ility is it? W*o is imp**t**?_ * vuln*r**ility *is*ov*r** in t** Im***S**rp li*r*ry, w**r* t** pro**ssin* o* sp**i*lly *r**t** *il*s **n l*** to *x**ssiv* m*mory us*** in t** *i* ***o**r. T** vuln*r**ility is tri***r

Reasoning

T** vuln*r**ility st*ms *rom *ow t** *I* ***o**r **n*l** LZW-*ompr*ss** im*** **t*. T** ori*in*l impl*m*nt*tion in *i****o**r*or*.*s *llo**t** * *ull *u***r**<*yt*> *or *ll pix*l in*i**s (wi*t****i**t) ***or* ***o*in*, w*il* Lzw***o**r.*s's ***o**Pix

5.3

Basic Information

Concerned about an active attack path?

CVE-2024-41132: SixLabors ImageSharp has Excessive Memory Allocation in Gif Decoder

Impact

Patches

Workarounds

References

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI