GHSA-4vjr-crvh-383h: 
JavaScript vulnerability analysis and mitigation

A critical heap buffer overflow vulnerability (CVE-2023-4863) was discovered in the WebP image library, affecting the lossless compression functionality. The vulnerability was initially reported by Apple's Security Engineering and Architecture (SEAR) team to Google Chrome team in early September 2023. The issue affects multiple software products that use the libwebp library for processing WebP images, including Chrome, iOS, and Android devices (Isosceles Blog).

The vulnerability exists in the BuildHuffmanTable function within the lossless compression (VP8L) support of WebP. The issue occurs during the Huffman coding process where the code uses pre-calculated buffer sizes from a fixed table and constructs Huffman tables directly into that allocation without proper size validation. This can lead to an out-of-bounds write when processing specially crafted WebP images. The vulnerability has been assigned a CVSS score of 8.8 (High), with attack vector being Network, attack complexity Low, and requiring user interaction (GitHub Advisory).

The vulnerability allows remote attackers to perform out-of-bounds memory writes via crafted WebP images, potentially leading to code execution. The impact is particularly severe as it affects multiple platforms and applications that process WebP images, including major browsers and mobile operating systems. The vulnerability has been confirmed to be exploited in the wild as part of sophisticated attack chains (Isosceles Blog).

The vulnerability has been patched in libwebp with a fix that implements a 'first pass' construction to calculate the total size required for the output table before actual allocation and writing. Various affected vendors have released updates: Chrome has released an urgent patch, Apple has issued security updates for iOS and macOS, and other dependent packages have also been updated. Users are strongly advised to update their systems and applications to the latest versions (GitHub Advisory).

The discovery of this vulnerability has sparked significant discussion in the security community, particularly regarding the challenges of finding such complex vulnerabilities through automated fuzzing. The quick response from major vendors like Google and Apple in patching the vulnerability has been noted, though concerns have been raised about the potential impact on Android devices which may take longer to receive updates (Isosceles Blog).