Return to page

10/04/2023 - Update on H2O’s response to CVE-2023-4863

The team analyzed and assessed the impact of the vulnerability CVE-2023-4863 and implemented necessary changes in the ecosystem that were propagated to Managed Cloud and incorporated into the coming 23.10 release. 

For any additional questions, please, reach out to support at



09/28/2023 - H2O’s response to CVE-2023-4863

The team continues to investigate and evaluate the heap buffer overflow in libwebp native library reported as the vulnerability (CVE-2023-4863).

The library libwebp processes the images in WebP format that is employing both lossy and lossless compression.


Versions Affected: all libwebp versions < 1.3.2

Fixed Version: 1.3.2


The vulnerability was first reported by Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Torontoʼs Munk School on 09/06/2023 and confirmed by various web browsers (for example, Mozilla, Chrome). If exploited, a buffer overflow in parsing WebP images may result in the execution of arbitrary code.


As soon as learned of this vulnerability, we promptly started to evaluate all our released software versions and cloud-hosted systems to determine what might be impacted. This page will be updated with findings and remediations.


For any additional questions, reach out to support at


Sincerely, Customer Support