Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-jbnm-5se3-cfc4
Vulnerability ID VCID-jbnm-5se3-cfc4
Aliases GHSA-9q78-27f3-2jmh
Summary webp crate may expose memory contents when encoding an image Affected versions of this crate did not check that the input slice passed to `"webp::Encoder::encode()` is large enough for the specified image dimensions. If the input slice is too short, the library will read out of bounds of the buffer and encode other memory contents as an image, resulting in memory exposure or a segmentation fault. The flaw was corrected in [pull request #44](https://github.com/jaredforth/webp/pull/44) by always validating the input buffer size when constructing the encoder.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-125 Out-of-bounds Read
System Score Found at
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-9q78-27f3-2jmh
cvssv4 4.6 https://github.com/jaredforth/webp
generic_textual MODERATE https://github.com/jaredforth/webp
cvssv4 4.6 https://github.com/jaredforth/webp/commit/62b47060d7fb8cc0e92e522ee54948edf5aab556
generic_textual MODERATE https://github.com/jaredforth/webp/commit/62b47060d7fb8cc0e92e522ee54948edf5aab556
cvssv4 4.6 https://github.com/jaredforth/webp/issues/40
generic_textual MODERATE https://github.com/jaredforth/webp/issues/40
cvssv4 4.6 https://github.com/jaredforth/webp/pull/44
generic_textual MODERATE https://github.com/jaredforth/webp/pull/44
cvssv4 4.6 https://rustsec.org/advisories/RUSTSEC-2024-0443.html
generic_textual MODERATE https://rustsec.org/advisories/RUSTSEC-2024-0443.html
Reference id Reference type URL
https://github.com/jaredforth/webp
https://github.com/jaredforth/webp/commit/62b47060d7fb8cc0e92e522ee54948edf5aab556
https://github.com/jaredforth/webp/issues/40
https://github.com/jaredforth/webp/pull/44
https://rustsec.org/advisories/RUSTSEC-2024-0443.html
GHSA-9q78-27f3-2jmh https://github.com/advisories/GHSA-9q78-27f3-2jmh
No exploits are available.
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U Found at https://github.com/jaredforth/webp
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U Found at https://github.com/jaredforth/webp/commit/62b47060d7fb8cc0e92e522ee54948edf5aab556
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U Found at https://github.com/jaredforth/webp/issues/40
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U Found at https://github.com/jaredforth/webp/pull/44
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U Found at https://rustsec.org/advisories/RUSTSEC-2024-0443.html
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-04-01T12:55:55.223692+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-9q78-27f3-2jmh/GHSA-9q78-27f3-2jmh.json 38.0.0