U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): libvips
  • Search Type: Search All
  • CPE Name Search: false
There are 8 matching records.
Displaying matches 1 through 8.
Vuln ID Summary CVSS Severity

libvips is a demand-driven, horizontally threaded image processing library. A specially crafted SVG input can cause libvips versions 8.14.3 or earlier to segfault when attempting to parse a malformed UTF-8 character. Users should upgrade to libvips version 8.14.4 (or later) when processing untrusted input.

Published: September 11, 2023; 3:15:43 PM -0400
V3.1: 5.5 MEDIUM
V2.0:(not available)

image_processing is an image processing wrapper for libvips and ImageMagick/GraphicsMagick. Prior to version 1.12.2, using the `#apply` method from image_processing to apply a series of operations that are coming from unsanitized user input allows the attacker to execute shell commands. This method is called internally by Active Storage variants, so Active Storage is vulnerable as well. The vulnerability has been fixed in version 1.12.2 of image_processing. As a workaround, users who process based on user input should always sanitize the user input by allowing only a constrained set of operations.

Published: March 01, 2022; 6:15:08 PM -0500
V3.1: 9.8 CRITICAL
V2.0: 10.0 HIGH

libjxl b02d6b9, as used in libvips 8.11 through 8.11.2 and other products, has an out-of-bounds write in jxl::ModularFrameDecoder::DecodeGroup (called from jxl::FrameDecoder::ProcessACGroup and jxl::ThreadPool::RunCallState<jxl::FrameDecoder::ProcessSections).

Published: December 31, 2021; 8:15:08 PM -0500
V3.1: 5.5 MEDIUM
V2.0: 2.1 LOW

Division-By-Zero vulnerability in Libvips 8.10.5 in the function vips_eye_point, eye.c#L83, and function vips_mask_point, mask.c#L85.

Published: July 15, 2021; 12:15:09 PM -0400
V3.1: 6.5 MEDIUM
V2.0: 4.3 MEDIUM

im_vips2dz in /libvips/libvips/deprecated/im_vips2dz.c in libvips before 8.8.2 has an uninitialized variable which may cause the leakage of remote server path or stack address.

Published: November 20, 2020; 2:15:11 PM -0500
V3.1: 5.3 MEDIUM
V2.0: 5.0 MEDIUM

vips_foreign_load_gif_scan_image in foreign/gifload.c in libvips before 8.8.2 tries to access a color map before a DGifGetImageDesc call, leading to a use-after-free.

Published: October 12, 2019; 10:15:12 PM -0400
V3.1: 8.8 HIGH
V2.0: 6.8 MEDIUM

libvips before 8.7.4 generates output images from uninitialized memory locations when processing corrupted input image data because iofuncs/memory.c does not zero out allocated memory. This can result in leaking raw process memory contents through the output image.

Published: January 26, 2019; 6:29:00 PM -0500
V3.0: 5.3 MEDIUM
V2.0: 5.0 MEDIUM

In libvips before 8.6.3, a NULL function pointer dereference vulnerability was found in the vips_region_generate function in region.c, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted image file. This occurs because of a race condition involving a failed delayed load and other worker threads.

Published: March 09, 2018; 2:29:01 PM -0500
V3.0: 7.5 HIGH
V2.0: 5.1 MEDIUM