Is imgproxy secure against CVE-2023-4863? #1237

sihu · 2024-01-05T09:39:13Z

sihu
Jan 5, 2024

Since I could not find any mention of CVE-2023-4863 (described in this blog) in this repo I was wondering, if it was secure against it?

I saw that webp images are limited in these lines

imgproxy/processing/fix_size.go

Lines 14 to 36 in a2fd4bc

    
           const ( 
        
           	// https://chromium.googlesource.com/webm/libwebp/+/refs/heads/master/src/webp/encode.h#529 
        
           	webpMaxDimension = 16383.0 
        
           	gifMaxDimension  = 65535.0 
        
           	icoMaxDimension  = 256.0 
        
           ) 
        
           func fixWebpSize(img *vips.Image) error { 
        
           	webpLimitShrink := float64(imath.Max(img.Width(), img.Height())) / webpMaxDimension 
        
           	if webpLimitShrink <= 1.0 { 
        
           		return nil 
        
           	} 
        
           	scale := 1.0 / webpLimitShrink 
        
           	if err := img.Resize(scale, scale); err != nil { 
        
           		return err 
        
           	} 
        
           	log.Warningf("WebP dimension size is limited to %d. The image is rescaled to %dx%d", int(webpMaxDimension), img.Width(), img.Height()) 
        
           	return nil 
        
           }

but i am not sure if all webp images are processed since at least animated in the docs this was mentioned:

imgproxy can process animated images (GIF, WebP), but since this operation is pretty memory heavy, only one frame is processed by default.

Answered by DarthSim

Jan 5, 2024

imgproxy uses libwebp 1.3.2 which has this CVE fixed

View full answer

DarthSim · 2024-01-05T10:33:05Z

DarthSim
Jan 5, 2024
Maintainer

imgproxy uses libwebp 1.3.2 which has this CVE fixed

2 replies

sihu Jan 5, 2024
Author

thx so much for the quick reply. just to ensure:

if i serve a malicious webp through the proxy that was uploaded by someone, the clients will not be affected, even if they use an old chrome that has still an old version of libwebp in it?

DarthSim Jan 14, 2024
Maintainer

Usage of libwebp 1.3.2 protects imgproxy itself. When imgproxy processes an image, it decodes it and then encodes it to the resulting format. So the resulting image won't be malicious anyway. if imgproxy doesn't process an image due to the IMGPROXY_SKIP_PROCESSING_FORMATS config or the raw option, it serves the original image without modifications.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Is imgproxy secure against CVE-2023-4863? #1237

{{title}}

Replies: 1 comment 2 replies

{{title}}

{{title}}

{{title}}

Select a reply

Is imgproxy secure against CVE-2023-4863? #1237

sihu Jan 5, 2024

Replies: 1 comment · 2 replies

DarthSim Jan 5, 2024 Maintainer

sihu Jan 5, 2024 Author

DarthSim Jan 14, 2024 Maintainer

sihu
Jan 5, 2024

Replies: 1 comment 2 replies

DarthSim
Jan 5, 2024
Maintainer

sihu Jan 5, 2024
Author

DarthSim Jan 14, 2024
Maintainer