I’ve spent a few minutes this morning trying to see if the libwebp packages BW uses have been patched for this vulnerability and I can’t find any reference to it.
So, question is simple, has this been patched in a recent release? If so, where does it say that in the release notes?
Bitwarden Desktop Release 2023.9.0 included the relevant “security fixes”, specifically, changes that upgrade the underlying Electron version to 24.8.3.
In any case, this CVE was never a vulnerability for the Bitwarden app, because it doesn’t use Electron for rendering WepP-formatted image files.
The MSP community is passing around that BW IS susceptible to this. May be worth having any PR staff on reddit and other areas address this directly today before it snowballs.
I’m not BW staff, but I am happy to push back against misinformation when I see it. Any specific Reddit threads you are concerned about? For that matter, if you are active in those communities, you can just respond yourself with links to this thread (and perhaps to the relevant thread on /r/bitwarden).
I have posted back a link to this thread in a couple areas.
I’m just a customer for BW, haha. But I love the product and just want to get ahead of it. I got three “newsletter” type blasts from MSP groups this morning that list BW as a security vulnerability (uniformed, obviously). So I think it pertinent to post something here letting everyone know so either staff or the fans with time can get ahead of it.
It can through the icons feature. While I don’t have a webp image file to test the exploit, I have tested that the desktop electron client happily renders a webp image - if served by the icons server.