RUSTSEC-2025-0061: 
Rust vulnerability analysis and mitigation

The vulnerability (RUSTSEC-2023-0061) was discovered in the WebP image format implementation within the libwebp library. Initially reported through Google Chrome's security advisory on September 12, 2023, the vulnerability was identified as a heap buffer overflow in WebP processing (Cloudflare Blog).

The vulnerability is a heap buffer overflow in the lossless codec's handling of Huffman coding. The bug occurs when processing specially crafted WebP files containing unbalanced Huffman trees with codes longer than normal, causing the function generating lookup tables to write data beyond the allocated buffer. While libwebp had checks for Huffman tree validity, it would write invalid lookup tables before performing the consistency check (Cloudflare Blog).

The vulnerability allows attackers to create malformed WebP image files that cause libwebp to write beyond the buffer memory allocated to the image decoder. By writing past the legal bounds of the buffer, attackers can modify sensitive data in memory, potentially leading to code execution. Given WebP's widespread adoption across web browsers, email clients, chat apps, graphics programs, and operating systems, this vulnerability had far-reaching consequences (Cloudflare Blog).

The fixed version of libwebp ensures that the input data will always create a valid internal structure and allocates more memory if necessary to ensure the buffer is always big enough. Google released patches for Chrome, and the libwebp library was officially patched. Users and organizations are advised to update all applications supporting WebP images to their latest versions (Cloudflare Blog).

The vulnerability initially appeared to be Chrome-specific but was later recognized as affecting virtually every application handling WebP images. GitHub's vulnerability scanner quickly recognized the issue through RustSec reports, highlighting the importance of robust security reporting mechanisms (Cloudflare Blog).