CVE-2020-28248 – CVE-2020-28248 is an integer overflow vulnerabi... (How to Fix)

Q: What is the severity of CVE-2020-28248?

CVE-2020-28248 has a CVSS score of 8.8 (HIGH). CVE-2020-28248 is an integer overflow vulnerability in the png-img library that leads to heap memory under-allocation and buffer overflow when processing malicious PNG files. This allows attackers to execute arbitrary code or cause denial of service. Any application using vulnerable versions of png-img for PNG image processing is affected.

📋 TL;DR

CVE-2020-28248 is an integer overflow vulnerability in the png-img library that leads to heap memory under-allocation and buffer overflow when processing malicious PNG files. This allows attackers to execute arbitrary code or cause denial of service. Any application using vulnerable versions of png-img for PNG image processing is affected.

💻 Affected Systems

Products:

png-img library

Versions: All versions before 3.1.0

Operating Systems: All operating systems where png-img is used

Default Config Vulnerable: ⚠️ Yes

Notes: Any application that uses png-img to load PNG files is vulnerable regardless of configuration.

📦 What is this software?

Png Img by Png Img Project

View all CVEs affecting Png Img →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the application processing the PNG file, potentially leading to complete system compromise.

🟠

Likely Case

Application crash (denial of service) or limited code execution within the application's context.

🟢

If Mitigated

Application crash with no code execution if memory protections like ASLR are effective.

🌐 Internet-Facing: HIGH - Any application that accepts PNG uploads from untrusted sources is vulnerable to remote exploitation.

🏢 Internal Only: MEDIUM - Internal applications processing PNG files from potentially untrusted sources remain vulnerable.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting a malicious PNG file, but public proof-of-concept exists and the vulnerability is in a widely used image processing library.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.0 and later

Vendor Advisory: https://github.com/gemini-testing/png-img/security/advisories/GHSA-8q8x-8p22-3jqg

Restart Required: No

Instructions:

1. Update png-img dependency to version 3.1.0 or later. 2. For npm: 'npm update png-img'. 3. For direct usage: replace with patched version from GitHub. 4. Rebuild and redeploy affected applications.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict validation of PNG files before processing, rejecting malformed or suspicious files.

Memory protection controls

all

Enable ASLR, DEP, and other memory protection mechanisms to reduce exploit success.

🧯 If You Can't Patch

Implement strict network controls to prevent untrusted PNG files from reaching vulnerable systems.
Use application firewalls or WAFs to block malicious PNG uploads based on file signatures.

🔍 How to Verify

Check if Vulnerable:

Check package.json or dependency files for png-img version below 3.1.0. For npm: 'npm list png-img'.

Check Version:

npm list png-img | grep png-img

Verify Fix Applied:

Confirm png-img version is 3.1.0 or higher. Test with known malicious PNG samples to ensure proper handling.

📡 Detection & Monitoring

Log Indicators:

Application crashes when processing PNG files
Memory access violation errors in application logs
Unusual process spawning after PNG processing

Network Indicators:

Unexpected outbound connections from applications after PNG uploads
Large or malformed PNG file uploads

SIEM Query:

source="application.logs" AND ("segmentation fault" OR "access violation" OR "heap corruption") AND "png"

📊 Metadata

CVE ID: CVE-2020-28248

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-190

Published: February 20, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/gemini-testing/png-img Product
https://github.com/gemini-testing/png-img/commit/14ac462a32ca4b3b78f56502ac976d5b0222ce3d Patch,Third Party Advisory
https://github.com/gemini-testing/png-img/compare/v3.0.0...v3.1.0 Release Notes,Third Party Advisory
https://securitylab.github.com/advisories/GHSL-2020-142-gemini-png-img Exploit,Third Party Advisory
https://github.com/gemini-testing/png-img Product
https://github.com/gemini-testing/png-img/commit/14ac462a32ca4b3b78f56502ac976d5b0222ce3d Patch,Third Party Advisory
https://github.com/gemini-testing/png-img/compare/v3.0.0...v3.1.0 Release Notes,Third Party Advisory
https://securitylab.github.com/advisories/GHSL-2020-142-gemini-png-img Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-28248, you might also want to check these: