[webkit-gtk] WebKitGTK and WPE WebKit Security Advisory WSA-2025-0001
Adrian Perez de Castro
aperez at igalia.com
Sun Feb 9 03:48:39 PST 2025
------------------------------------------------------------------------
WebKitGTK and WPE WebKit Security Advisory WSA-2025-0001
------------------------------------------------------------------------
Date reported : February 09, 2025
Advisory ID : WSA-2025-0001
WebKitGTK Advisory URL : https://webkitgtk.org/security/WSA-2025-0001.html
WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2025-0001.html
CVE identifiers : CVE-2024-27856, CVE-2024-54543,
CVE-2024-54658, CVE-2025-24143,
CVE-2025-24150, CVE-2025-24158,
CVE-2025-24162.
Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.
CVE-2024-27856
Versions affected: WebKitGTK and WPE WebKit before 2.46.0.
Credit to Maksymilian Motyl of Immunity Systems, Junsung Lee working with
Trend Micro Zero Day Initiative, and ajajfxhj.
Impact: Processing a file may lead to unexpected app termination or
arbitrary code execution. Description: The issue was addressed with
improved checks.
WebKit Bugzilla: 268765
CVE-2024-54543
Versions affected: WebKitGTK and WPE WebKit before 2.46.5.
Credit to Lukas Bernhard, Gary Kwong, and an anonymous researcher.
Impact: Processing maliciously crafted web content may lead to
memory corruption. Description: The issue was addressed with
improved memory handling.
WebKit Bugzilla: 282450
CVE-2024-54658
Versions affected: WebKitGTK and WPE WebKit before 2.44.0.
Credit to anbu1024 of SecANT.
Impact: Processing web content may lead to a denial-of-service.
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 263758
CVE-2025-24143
Versions affected: WebKitGTK and WPE WebKit before 2.46.6.
Credit to an anonymous researcher.
Impact: A maliciously crafted webpage may be able to fingerprint the
user. Description: The issue was addressed with improved access
restrictions to the file system.
WebKit Bugzilla: 283117
CVE-2025-24150
Versions affected: WebKitGTK and WPE WebKit before 2.46.6.
Credit to Johan Carlsson (joaxcar).
Impact: Copying a URL from Web Inspector may lead to command
injection. Description: A privacy issue was addressed with improved
handling of files.
WebKit Bugzilla: 283718
CVE-2025-24158
Versions affected: WebKitGTK and WPE WebKit before 2.46.6.
Credit to Q1IQ (@q1iqF) of NUS CuriOSity and P1umer (@p1umer) of Imperial
Global Singapore.
Impact: Processing web content may lead to a denial-of-service.
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 283889
CVE-2025-24162
Versions affected: WebKitGTK and WPE WebKit before 2.46.6.
Credit to linjy of HKUS3Lab and chluo of WHUSecLab.
Impact: Processing maliciously crafted web content may lead to an
unexpected process crash. Description: This issue was addressed
through improved state management.
WebKit Bugzilla: 284159
We recommend updating to the latest stable versions of WebKitGTK and WPE
WebKit. It is the best way to ensure that you are running safe versions
of WebKit. Please check our websites for information about the latest
stable releases.
Further information about WebKitGTK and WPE WebKit security advisories
can be found at: https://webkitgtk.org/security.html or
https://wpewebkit.org/security.
The WebKitGTK and WPE WebKit team,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.webkit.org/pipermail/webkit-gtk/attachments/20250209/cb6e2c41/attachment.bin>
More information about the webkit-gtk
mailing list