Critical WebP 0-day security CVE-2023-4863

DylanVann / react-native-fast-image

🚩 FastImage, performant React Native image component.

MIT License

8.09k stars 1.47k forks source link

Critical WebP 0-day security CVE-2023-4863 #1011

Open huaguoshi opened 9 months ago

huaguoshi commented 9 months ago

Detailed paths Introduced through: Podfile@0.0.0 › RNFastImage@8.6.3 › SDWebImageWebPCoder@0.8.5 › libwebp@1.2.4 Security information Factors contributing to the scoring: Snyk: CVSS 10.0 - CRITICAL Severity NVD: 8.8 HIGH

libwebp is a Library to encode and decode images in WebP format.

markosrx commented 8 months ago

Thenlie commented 8 months ago

I have added the following code to my Podfile which seems to update this dependency for FastImage. Seems like an acceptable workaround for the time being.

# Dependency chain: RNFastImage -> SDWebImageWebPCoder -> libwebp
pod 'libwebp', '1.3.2', :source => 'https://cdn.cocoapods.org/'

Thenlie commented 8 months ago

Also, this is a duplicate of #994