CVE-2023-25193 – This vulnerability in HarfBuzz text shaping eng... (How to Fix)

Q: What is the severity of CVE-2023-25193?

CVE-2023-25193 has a CVSS score of 7.5 (HIGH). This vulnerability in HarfBuzz text shaping engine allows attackers to cause denial of service through algorithmic complexity attacks. By providing specially crafted text with consecutive marks, attackers can trigger O(n^2) processing time, potentially causing applications to hang or crash. Any system using vulnerable HarfBuzz versions for text rendering is affected.

📋 TL;DR

This vulnerability in HarfBuzz text shaping engine allows attackers to cause denial of service through algorithmic complexity attacks. By providing specially crafted text with consecutive marks, attackers can trigger O(n^2) processing time, potentially causing applications to hang or crash. Any system using vulnerable HarfBuzz versions for text rendering is affected.

💻 Affected Systems

Products:

HarfBuzz
Applications using HarfBuzz library (Chrome, Firefox, LibreOffice, etc.)

Versions: HarfBuzz versions through 6.0.0

Operating Systems: Linux, Windows, macOS, Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using HarfBuzz for text shaping with default configuration is vulnerable when processing malicious text.

📦 What is this software?

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Harfbuzz by Harfbuzz Project

View all CVEs affecting Harfbuzz →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service causing application crashes, system instability, or service unavailability in applications that process untrusted text input.

🟠

Likely Case

Degraded performance or temporary unresponsiveness in applications processing malicious text, particularly in web browsers, document viewers, or text processing tools.

🟢

If Mitigated

Minimal impact with proper input validation and resource limits in place, though performance degradation may still occur.

🌐 Internet-Facing: MEDIUM - Web applications processing user-submitted text could be affected, but exploitation requires specific text input.

🏢 Internal Only: LOW - Requires local access or specific text processing scenarios to trigger.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires providing specially crafted text to applications using HarfBuzz, but no public proof-of-concept has been released.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: HarfBuzz 6.0.1 and later

Vendor Advisory: https://github.com/harfbuzz/harfbuzz/commit/85be877925ddbf34f74a1229f3ca1716bb6170dc

Restart Required: Yes

Instructions:

1. Update HarfBuzz to version 6.0.1 or later. 2. Update dependent applications (browsers, office suites) to versions using patched HarfBuzz. 3. Restart affected applications/services.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement input validation to reject or sanitize text with excessive consecutive marks before processing with HarfBuzz.

Resource limiting

linux

Configure resource limits (CPU time, memory) for applications using HarfBuzz to prevent complete denial of service.

ulimit -t 30  # Limit CPU time to 30 seconds (Linux)
Set-ProcessMitigation -Name processname -Enable ProcessTermination (Windows)

🧯 If You Can't Patch

Implement strict input validation for text processing to reject suspicious patterns
Deploy monitoring for abnormal resource consumption in text processing applications

🔍 How to Verify

Check if Vulnerable:

Check HarfBuzz version: harfbuzz-config --version or check package version in system package manager.

Check Version:

harfbuzz-config --version || pkg-config --modversion harfbuzz || dpkg -l | grep harfbuzz || rpm -q harfbuzz

Verify Fix Applied:

Verify HarfBuzz version is 6.0.1 or later, or check that dependent applications have been updated to versions using patched HarfBuzz.

📡 Detection & Monitoring

Log Indicators:

High CPU usage spikes in text processing applications
Application crashes or hangs during text rendering
Abnormally long processing times for text operations

Network Indicators:

Unusually large text payloads being submitted to web applications
Repeated text submissions with similar patterns

SIEM Query:

process.name:"application_using_harfbuzz" AND (cpu.usage > 90 OR event.action:"crash")

📊 Metadata

CVE ID: CVE-2023-25193

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

Published: February 4, 2023

Last Updated: March 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25193, you might also want to check these: