Safeguard
Vulnerabilities

libwebp and CVE-2023-4863: The Full Story

A heap buffer overflow in libwebp's lossless decoder, exploited in the wild before a patch existed, turned out to affect far more software than the browser it was first reported in.

Safeguard Research Team
Research
5 min read

The libwebp vulnerability tracked as CVE-2023-4863 is a heap buffer overflow in libwebp's lossless image decoding path, and what made it notable wasn't just the bug class — heap overflows in image decoders are unfortunately common — but the fact that it was found under active exploitation before a patch existed, and that libwebp turned out to be embedded in far more software than the browser where it was first reported.

What kind of bug was CVE-2023-4863?

It's a heap buffer overflow: libwebp's routine for decoding lossless WebP images could write past the bounds of an allocated buffer when handling a maliciously crafted image, corrupting adjacent heap memory in a way that an attacker could shape into arbitrary code execution. Image-decoding libraries are a recurring target for this bug class precisely because they parse complex, attacker-supplied binary formats and often run in privileged or widely-reachable contexts — anywhere an image gets rendered, from a chat app's thumbnail preview to a browser tab, the decoder runs.

Why did this affect so much more than one browser?

Because libwebp isn't just a browser component — it's a shared library that ships inside Chromium (and therefore Chrome and every Chromium-based browser), Firefox, Electron applications, many image-processing pipelines, and countless mobile and desktop apps that link against it for WebP support. The vulnerability was initially reported and tracked in the context of a browser 0-day, and it took the security community some time to recognize that the actual root cause lived in libwebp itself, meaning any application statically linking or bundling a vulnerable libwebp copy carried the same exposure independent of which browser, if any, was involved. That realization is why the CVE assignment and severity discussion around this issue was unusually tangled for a period — the same underlying flaw touched multiple products through different distribution paths.

What made this a real-world exploited vulnerability rather than a theoretical one?

It was discovered in the course of investigating targeted spyware campaigns, where a crafted image was used as part of an exploit chain to compromise a device without any user interaction beyond receiving the image. That context — a bug found because it was already being used against real targets, not found first by researchers and then weaponized — is what pushed vendors to ship emergency patches quickly rather than folding the fix into a normal release cycle. It's also a useful reminder that image, video, and font parsing libraries are a consistently attractive target for this kind of exploit chain, because they process untrusted binary data by design and are present on nearly every device.

How do you find out if your own software bundles a vulnerable libwebp?

Check both your direct dependencies and anything you've vendored or statically linked — libwebp shows up transitively through image-processing libraries, PDF renderers, and any Electron or Chromium-embedding application, and a manifest-only dependency scan will miss copies that were vendored into a binary rather than declared as a package dependency. Safeguard's SCA scanning fingerprints binary and bundled library components in addition to declared package dependencies, which is the only reliable way to catch a statically linked libwebp copy that never appears in a package.json or pom.xml in the first place.

What does this incident say about how software supply chains actually work?

It's a clean illustration of how deep a single shared library can sit beneath the software an organization thinks it's tracking. Most teams maintain a reasonably accurate inventory of their direct application dependencies — the frameworks and packages listed in a manifest file — but far fewer maintain an equally accurate inventory of the native libraries bundled inside those dependencies, or inside the runtime and browser components their own software embeds. libwebp's exposure was a wake-up call specifically because it wasn't hiding in an obscure corner of the ecosystem; it was present, unnoticed, inside some of the most widely deployed software on the planet, which meant the practical remediation effort for many organizations was less about patching one library and more about first discovering every place it was quietly present.

FAQ

Is CVE-2023-4863 the same issue as the ImageIO vulnerability reported around the same time?

They were reported close together and were part of the same broader exploit-chain investigation, but they affect different components — CVE-2023-4863 is specifically the libwebp heap buffer overflow, distinct from vulnerabilities found in other image-parsing frameworks during the same period. Reporting from that period sometimes conflated the two because they surfaced from related investigations.

Does updating my browser fully fix this?

Updating the browser fixes the browser's own bundled libwebp copy, but it doesn't fix other applications on the same machine that bundle their own separate libwebp — each affected application needs its own update.

How can teams catch this kind of bundled-library risk earlier next time?

By maintaining an accurate software bill of materials that includes vendored and statically linked components, not just declared package dependencies — the organizations that identified their exposure quickest were the ones that already had visibility into every copy of libwebp across their software, rather than needing to audit from scratch after the advisory landed.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.