RUSTSEC-2025-0061: 
Rust vulnerability analysis and mitigation

The vulnerability, identified as RUSTSEC-2023-0061, was discovered in the libwebp library, which is widely used for handling WebP images across various applications. Initially reported through Google Chrome's security advisory (CVE-2023-4863) in September 2023, the vulnerability was found to have much broader implications than initially suggested (Cloudflare Blog).

The vulnerability is a heap buffer overflow in the libwebp library's lossless codec's handling of Huffman coding. The issue occurs when processing specially crafted WebP files containing unbalanced Huffman trees with codes longer than normal, causing the function generating lookup tables to write data beyond the allocated buffer. The bug existed because libwebp would write invalid lookup tables before performing consistency checks (Cloudflare Blog).

Due to WebP's widespread adoption in web browsers, email clients, chat apps, graphics programs, and operating systems, this vulnerability had far-reaching consequences affecting virtually all users of the WebP format. The heap buffer overflow could allow attackers to modify sensitive data in memory, potentially leading to code execution (Cloudflare Blog).

The issue was addressed through a patch to libwebp that implemented additional validation of input data and modified the dynamic memory allocation model. The fix ensures that input data creates valid internal structures and allocates sufficient memory for the buffer. Applications supporting WebP images needed to be updated with the patched version of libwebp (Cloudflare Blog).