LibWebP vulnerability affecting react native apps

Question

LibWebP vulnerability affecting react native apps

ibr4qr opened this issue a year ago · 4 comments

Introduction

Fresco update to the latest version( 3.1.2 ) due the CVE-2023-4863 vulnerability

Details

LibWebP has a reported critical zero-click vulnerability, the vulnerability in LibWebP was discovered on September 7, 2023 by researchers at the University of Toronto's Citizen Lab.

Discussion points

Since @facebook/react-native brings Fresco dependency which is affected by the LibWebP vulnerability, do we have a plan to migrate to the latest Fresco version?

Answer 1 · 2023-10-25T09:37:55.000Z

We're aware of the issue.

Sadly the latest version of Fresco is broken:

facebook/fresco#2747

We're waiting for 3.1.3 to do this bump

Answer 2 · 2023-10-25T19:15:01.000Z

Fix is included in Fresco 3.1.3:
https://github.com/facebook/fresco/releases/tag/v3.1.3

It has already been bumped inside React Native and will be released in 0.73.0

Answer 3 · 2023-10-26T00:09:33.000Z

It has already been bumped inside React Native and will be released in 0.73.0

It probably wouldn’t be a bad idea to backport this to older releases as well. Dealing with untrusted WebP is not uncommon. E.g. a bad case could be a user sending a malicious image in a chat app that causes code execution on the other end.

From what I was looking at earlier, I think Electron backported.

Answer 4 · 2023-12-13T14:09:16.000Z

On the backport side, we discussed this a bit and we decided to don't include a major version bump of Fresco in a patch release of React Native.

If you want to use Fresco 3.0.0 you can either:

Update RN to 0.73.0
Include the following lines in your android/app/build.gradle

...
dependencies {
    ...
+   implementation("com.facebook.fresco:fresco:3.1.3")
+   implementation("com.facebook.fresco:middleware:3.1.3")
+   implementation("com.facebook.fresco:imagepipeline-okhttp3:3.1.3")
+   implementation("com.facebook.fresco:ui-common:3.1.3")
}