GHSA-94vc-p8w7-5p49: 
Python vulnerability analysis and mitigation

The vulnerability (GHSA-94vc-p8w7-5p49) affects imagecodecs versions before v2023.9.18, which bundled libwebp binaries that were vulnerable to CVE-2023-5129 (previously CVE-2023-4863). This high-severity security issue was discovered and disclosed in October 2023, affecting the image processing capabilities of the software (GitHub Advisory).

The vulnerability stems from a heap buffer overflow issue in libwebp, which could be triggered when processing specially crafted WebP lossless files. The technical root cause involves the ReadHuffmanCodes() function allocating a HuffmanCode buffer with a size from precomputed sizes (kTableSize), where the array only accounts for 8-bit first-level table lookups but not second-level table lookups. This mismatch could lead to out-of-bounds writes when BuildHuffmanTable() attempts to fill second-level tables (NVD).

The vulnerability has a high severity rating with a CVSS v3.1 base score of 8.8 (HIGH), indicating significant potential impact. If exploited, the vulnerability could allow remote attackers to perform out-of-bounds memory writes via crafted HTML pages, potentially leading to code execution or system compromise (CISA-ADP).

The vulnerability has been patched in imagecodecs version 2023.9.18, which upgrades the bundled libwebp binary to v1.3.2. Users are strongly advised to upgrade to this version or later to mitigate the security risk. Organizations should either apply the vendor-provided mitigations or discontinue use of the product if mitigations are unavailable (GitHub Advisory).