Sep 29, 2023 by
firstname.lastname@example.org for SDK 49 has been released with a fix for CVE-2023-4863 — a vulnerability in
libwebp that impacted Chrome and many other applications that used the library for WebP decoding. This vulnerability was fixed in
email@example.com, which was released on September 13, 2023.
The following explains how to apply the fix on each Expo-supported platform, along with context on what changed.
Update expo-image: run
npx expo install expo-image on SDK 49, verify that
firstname.lastname@example.org or greater is installed, and deploy a new native build. If you are still using SDK 48, ensure that you are using
email@example.com or greater.
Any build that used
firstname.lastname@example.org or earlier (and therefore
email@example.com or earlier) is affected.
firstname.lastname@example.org, we removed GlideWebpDecoder, which (at the time of writing) depends on an outdated
libwebp version. This dependency was responsible for animated WebP decoding in
expo-image. We now use APNG4Android instead, which was already included for supporting other animated image formats. If you notice any regressions in animated WebP support in your application, file a bug report on expo/expo.
Ensure that you are using libwebp
1.3.2 or greater:
If you use CNG, the new version of
libwebp will be installed automatically when you generate your iOS project with
npx expo prebuild --clean (or on EAS Build).
If you manage your own iOS project, you can verify in ios/Podfile.lock that you are using
email@example.com, and run
pod update libwebp in your ios directory if not.
If you use EAS Build, look in your "Install pods" logs for your build on EAS Build, and find the
libwebp line. If you see
Installing libwebp (1.3.1) (or any other earlier version), then it is affected.
Alternatively, on the commit where you created your last build, check the Podfile.lock in your ios directory for
libwebp. If you are using
1.3.1 or earlier, then it is affected.
firstname.lastname@example.org, released on September 13, 2023, matches the version constraint specified by
~> 1.0), so any new installs in the last ~2 weeks will have automatically picked this up.
No changes are required on your part,
libwebp is part of Chrome.
If you support platforms beyond those listed above, be sure to check with the related frameworks that you use to see if they are affected.