Beware of Maliciously Crafted Blurhashes in blurhash-rs Image Encoding Library

CVECVE-2023-42447
CVSScvssV3_1: 8.6
SourceCVE-2023-42447

The blurhash-rs library is a popular Rust implementation used for encoding images into ASCII strings that can later be rendered as a gradient representing the original image. However, a vulnerability was discovered that could allow remote attackers to crash programs using blurhash-rs.

Specifically, the parsing code did not properly validate user-supplied blurhash strings before using them. Malicious actors could craft blurhashes containing invalid multi-byte UTF-8 characters that would cause out-of-bounds memory accesses when parsed. This could potentially crash applications simply by feeding them malicious blurhashes over a network connection.

While no data is directly exposed, crashing core services could still be exploited for denial-of-service attacks. Users of blurhash-rs are recommended to upgrade to version 0.2.0 which fixes this issue. Some minor API changes were required so manual intervention is needed, but it protects against this panic vulnerability.

In general, always keep an eye out for software updates, as libraries may not always validate external data properly. Be cautious of any services or programs that process untrusted blurhashes received over the internet. Verify upgrades are applied to mitigate risks from vulnerabilities like this one in the future.

References