Is imgproxy secure against CVE-2023-4863?

[sihu]

Since I could not find any mention of CVE-2023-4863 (described in this blog) in this repo I was wondering, if it was secure against it?

I saw that webp images are limited in these lines

imgproxy/processing/fix_size.go

Lines 14 to 36 in a2fd4bc

	const (
	// https://chromium.googlesource.com/webm/libwebp/+/refs/heads/master/src/webp/encode.h#529
	webpMaxDimension = 16383.0
	gifMaxDimension = 65535.0
	icoMaxDimension = 256.0
	)
	func fixWebpSize(img *vips.Image) error {
	webpLimitShrink := float64(imath.Max(img.Width(), img.Height())) / webpMaxDimension
	if webpLimitShrink <= 1.0 {
	return nil
	}
	scale := 1.0 / webpLimitShrink
	if err := img.Resize(scale, scale); err != nil {
	return err
	}
	log.Warningf("WebP dimension size is limited to %d. The image is rescaled to %dx%d", int(webpMaxDimension), img.Width(), img.Height())
	return nil
	}

but i am not sure if all webp images are processed since at least animated in the docs this was mentioned:

imgproxy can process animated images (GIF, WebP), but since this operation is pretty memory heavy, only one frame is processed by default.

[DarthSim]

imgproxy uses libwebp 1.3.2 which has this CVE fixed

[sihu]

thx so much for the quick reply. just to ensure:

if i serve a malicious webp through the proxy that was uploaded by someone, the clients will not be affected, even if they use an old chrome that has still an old version of libwebp in it?

[DarthSim]

Usage of libwebp 1.3.2 protects imgproxy itself. When imgproxy processes an image, it decodes it and then encodes it to the resulting format. So the resulting image won't be malicious anyway. if imgproxy doesn't process an image due to the IMGPROXY_SKIP_PROCESSING_FORMATS config or the raw option, it serves the original image without modifications.