LibWebP vulnerability affecting react native apps
ibr4qr opened this issue · 4 comments
Introduction
Fresco update to the latest version( 3.1.2 ) due the CVE-2023-4863 vulnerability
Details
LibWebP has a reported critical zero-click vulnerability, the vulnerability in LibWebP was discovered on September 7, 2023 by researchers at the University of Toronto's Citizen Lab.
Discussion points
Since @facebook/react-native brings Fresco dependency which is affected by the LibWebP vulnerability, do we have a plan to migrate to the latest Fresco version?
We're aware of the issue.
Sadly the latest version of Fresco is broken:
We're waiting for 3.1.3 to do this bump
Fix is included in Fresco 3.1.3:
https://github.com/facebook/fresco/releases/tag/v3.1.3
It has already been bumped inside React Native and will be released in 0.73.0
It has already been bumped inside React Native and will be released in 0.73.0
It probably wouldn’t be a bad idea to backport this to older releases as well. Dealing with untrusted WebP is not uncommon. E.g. a bad case could be a user sending a malicious image in a chat app that causes code execution on the other end.
From what I was looking at earlier, I think Electron backported.
On the backport side, we discussed this a bit and we decided to don't include a major version bump of Fresco in a patch release of React Native.
If you want to use Fresco 3.0.0 you can either:
- Update RN to 0.73.0
- Include the following lines in your
android/app/build.gradle
...
dependencies {
...
+ implementation("com.facebook.fresco:fresco:3.1.3")
+ implementation("com.facebook.fresco:middleware:3.1.3")
+ implementation("com.facebook.fresco:imagepipeline-okhttp3:3.1.3")
+ implementation("com.facebook.fresco:ui-common:3.1.3")
}