CVE-2023-42447: blurhash panics on parsing crafted inputs

September 21, 2023

The blurhash parsing code may panic due to multiple panic-guarded out-of-bounds accesses on untrusted input.

In a typical deployment, this may get triggered by feeding a maliciously crafted blurhashes over the network. These may include:

UTF-8 compliant strings containing multi-byte UTF-8 characters

References

github.com/advisories/GHSA-cxvp-82cq-57h2
github.com/whisperfish/blurhash-rs
github.com/whisperfish/blurhash-rs/releases/tag/v0.2.0
github.com/whisperfish/blurhash-rs/security/advisories/GHSA-cxvp-82cq-57h2
nvd.nist.gov/vuln/detail/CVE-2023-42447

Detect and mitigate CVE-2023-42447 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →