diffusionbee-stable-diffusion-ui icon indicating copy to clipboard operation
diffusionbee-stable-diffusion-ui copied to clipboard
verified publisher icon divamgupta

Patch for libwebp vulnerability?

Open thealanberman opened this issue 2 years ago • 2 comments

I see that Diffusionbee is using the Electron Framework -- given the recent 0-day vulnerability in libwebp can we get a "security patch" release?

I'm not sure if Diffusionbee actually renders webp files ever, but can't hurt to patch.

thealanberman avatar Sep 14 '23 16:09 thealanberman

I’m here checking on the same thing. I’m auditing all the apps on my machine running vulnerable versions of Electron and DiffusionBee’s sticking out: Electron/13.6.8

fadersolo avatar Sep 26 '23 18:09 fadersolo

The more I think about the libwebp vulnerability, the more I conclude that it's really of the highest concern for Electron based messaging or file sharing applications.

In order for an attacker to leverage a libwebp vulnerability in Diffusionbee, the attacker would need to get an "infected" webp file into your Diffusionbee 'images' folder... not impossible, but would require the attacker already having access to your system via some other vector.

thealanberman avatar Sep 26 '23 18:09 thealanberman