WebP 0-Day CVE-2023-5129: How to Identify Vulnerable Apps with NinjaOne


A zero-day vulnerability (CVE-2023-5129) in the WebP image library is being actively exploited, putting major browsers and scores of additional apps at risk.

NOTE: NinjaOne is NOT impacted by this vulnerability. 

Ok, what’s happening?

On Wednesday, September 27, Google issued a vulnerability tagged as CVE-2023-5129 and gave it a base score of 10.0. That’s as bad as it gets, and underscores the threat and seriousness of the flaw.

What is CVE-2023-5129?

CVE-2023-5129 is a heap buffer overflow flaw in the WebP image format. In particular, in the way it provides lossless compression for images on the web (using WebP allows web developers to create smaller images that still look great, making browsing faster). We won’t get into the nitty gritty details here, but you can find more info on heap buffer overflow flaws in general, and on the issue with libwebp library’s “BuildHuffmanTable” function, specifically, in this post from Alex Ivanovs at StackDiary.

Of note: this vulnerability was originally tracked as CVE-2023-4863, and attributed only to Chrome. The new CVE was issued to clarify that the flaw actually applies to a much more expansive number of apps (partial list below).

How bad is CVE-2023-5129?

Unfortunately, very (hence the 10.0 CVSS). For three different reasons:

  • The impact is extremely broad: The vulnerability affects any software that utilizes the WebP codec. That includes major browsers like Chrome, Firefox, Safari, and Edge, but, as mentioned, also a host of additional apps (partial list below). Admins still experiencing PTSD from log4j are once gain reconsidering their life choices.
  • The impact of exploitation is extremely serious: Successful exploitation could potentially result in attackers taking control of a system, executing arbitrary code, and accessing sensitive user data.
  • Attackers are already actively exploiting it: Earlier this month (September 11), Google acknowledged that CVE-2023-4863 was being exploited in the wild. In addition, the flaw has been linked to Citizen Lab’s September 7 “BLASTPASS” report disclosing a zero-click, zero-day iPhone exploit captured in the wild.

What apps are affected by CVE-2023-5129?

NOTE: NinjaOne is NOT impacted by this vulnerability. 

Update Sept 28: Security professional Michael Taggart has created a large list of apps he’s continuously updating here. There are currently 744 with 165 confirmed vulnerable. 

Numerous apps employ WebP image handling via libwebp. As reported at cyberkendra.com, “since the codec is build into Android, all native browser apps on Android devices are affected.”

But the list expands from there. They also point out that, according to a list compiled on Wikipedia, the following application uses WebP codec:

  • 1Password
  • balenaEtcher
  • Basecamp 3
  • Beaker (web browser)
  • Bitwarden
  • CrashPlan
  • Cryptocat (discontinued)
  • Discord
  • Eclipse Theia
  • FreeTube
  • GitHub Desktop
  • GitKraken
  • Joplin
  • Keybase
  • Lbry
  • Light Table
  • Logitech Options +
  • LosslessCut
  • Mattermost
  • Microsoft Teams
  • MongoDB Compass
  • Mullvad
  • Notion
  • Obsidian
  • QQ (for macOS)
  • Quasar Framework
  • Shift
  • Signal
  • Skype
  • Slack
  • Symphony Chat
  • Tabby
  • Termius
  • Twitch
  • Visual Studio Code
  • WebTorrent
  • Wire
  • Yammer

What apps have patches for CVE-2023-5129 available?

Cyberkendra.com is also compiling a helpful list of vendors that have pushed patches for this vulnerability, and will be actively updating it:

What can admins do now to protect their networks?

With all the attention this is bound to get, and with active exploitation already confirmed, it’s highly recommended to patch vulnerable apps (and confirm patches have been applied) as soon as possible once updates are available.

Unfortunately, the full scope of affected applications is yet to be determined, and you can’t patch an app if you don’t know it’s vulnerable or if a patch isn’t available. Hopefully, additional vendors will be providing more information and clarity soon.

In the meantime…

How to identify vulnerable apps using NinjaOne

Until we know the full scope of vulnerable applications to become more clear, IT pros can at the very least search their networks for devices running outdated versions of apps that have been patched. In this video, NinjaOne Product Lead Gavin Stone walks through how NinjaOne users can do exactly that by utilizing the software inventory filter:

Additional links and resources

Next Steps

Empower your IT infrastructure with NinjaOne Patch Management to ensure a fortified defense against vulnerabilities and keep your systems running at their best.

Learn more about NinjaOne Patch Management, check out a live tour, or start your free trial of the NinjaOne platform.

You might also like

Ready to become an IT Ninja?

Learn how NinjaOne can help you simplify IT operations.

Watch Demo×

See NinjaOne in action!

By submitting this form, I accept NinjaOne's privacy policy.

Start a Free Trial of the
#1 Endpoint Management Software on G2

No credit card required, full access to all features

NinjaOne Terms & Conditions

By clicking the “I Accept” button below, you indicate your acceptance of the following legal terms as well as our Terms of Use:

  • Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
  • Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
  • Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library belonging to or under the control of any other software provider.
  • Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
  • Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
  • Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
  • EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).