WebP Vulnerability: CVE-2023-4863

[jhuckaby]

There is a zero-day heap overflow bug in WebP: https://nvd.nist.gov/vuln/detail/CVE-2023-4863

Chrome was just updated to patch this: https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html

Does the WebP WASM library that is bundled with Squoosh need to be updated as well, or does the sandbox nature of WASM protect us here?

[surma]

There’s no risk here thanks to the Wasm Sandbox. We should update WebP, but there is no urgency.

[jhuckaby]

Got it, thanks! I'll go ahead and close this issue.