We sincerely apologize for causing concern regarding the vulnerability currently reported in Live2D Cubism Core(SDK).
We would like to provide a detailed report on the risks of this vulnerability and the associated threats.
New! (additional updates)
- Vulnerability Assessment Report (April 28, 2023).
Live2D Inc. reported the vulnerability of Live2D Cubism Core (CVE-2023-27566) on March 6th, 2023. We entrusted an investigation to GMO Cybersecurity by Ierae, Inc., a security specialist company, and received the investigation report on April 20th as follows:.
- Effective countermeasures have been implemented against this vulnerability in Live2D Cubism Editor 4.2.03_2 and subsequent product releases since March 16th, 2023.
- Even in Live2D Cubism Editor of versions prior to 4.2.03_2, it is highly unlikely for MOC3 files to perform arbitrary code execution. The potential threat to users is extremely low.
To ensure the continued optimal use of our product, we strongly recommend updating your Live2D Cubism Editor to the latest version.
We sincerely apologize for any inconvenience and concern caused. We appreciate your ongoing support for Live2D Inc. and Live2D Cubism.
Find information on product compatibility and the latest version below.
- Product Updates (March 17, 2023).
・Cubism 4 AE Plugin R8
- Product Updates (March 16, 2023).
・Cubism Editor 4.2.03_2
・Cubism Editor 4.2.04 beta4
・Cubism 4 SDK for Unity R6_2
・Cubism 4 SDK for Native R6_2
・Cubism 4 SDK for Web R6_2
・Cubism 4 SDK for Java R1 beta4
・Cubism 4 SDK for Cocos Creator R1 beta2
・Cubism Viewer for Unity 1.4.7_2
・Cubism MOC3 Consistency Checker 1.00.02
- Error Report (March 14, 2023).
Some errors have been reported with the recently updated Cubism products, where some MOC3 files that use Blend Shapes with “Weight Limit for Blend Shapes” are unable to be loaded, despite being in the correct format.
- We have released product updates that address the Cubism Core vulnerability. (March 10, 2023).
・Live2D Cubism Editor 4.2.03_1
・Live2D Cubism Editor 4.2.04 beta3
・Live2D Cubism 4 SDK for Unity R6_1
・Live2D Cubism 4 SDK for Native R6_1
・Live2D Cubism 4 SDK for Web R6_1
・Live2D Cubism 4 SDK for Java R1 beta3
・Live2D Cubism Viewer for Unity 1.4.7_1
- MOC3 Consistency Checker 1.00.00 has been released (March 10, 2023).
- MOC3 Consistency Checker 1.00.00 has been released (March 9, 2023).
By loading MOC3 files into this tool, it can verify whether or not the file is in the correct format. It can also detect maliciously modified files.
【Download & How to Use】
Details of the vulnerability:
This vulnerability occurs when an application runs a maliciously modified MOC3 file.
Having the modified MOC3 file loaded into the target Cubism Core may cause out-of-range memory writes and crash the application. At this time, we assume that there are only a limited number of types of data that are written out of memory range and that malicious code is unlikely to be executed arbitrarily. Nevertheless, we will start a verification of this issue with the advice from external security experts.
We plan to prepare a version that fixes this vulnerability within a few days and share it with the affected applications (listed below).
Users can continue to use MOC3 files that they have created themselves or obtained from trusted sources with peace of mind.
Scope of impact:
The scope of impact of this issue includes the following.
- Some features after Cubism Editor 4.2.00 beta1
- Embedded model track
- Relative Cubism SDK
- Cubism SDK for Unity
- Cubism SDK for Native
- Cubism SDK for Java
- Applications that use the relative Cubism SDK
- Cubism Viewer for OW
- Cubism Viewer for Unity
- Expandable Applications (Applications that can read any MOC3 file, including nizima LIVE and various tracking software for VTuber)
To prevent damage
To prevent damage from MOC3 files that have been maliciously modified, users should take the following precautions.
- Do not open MOC3 files from unknown sources.
- Open MOC3 files obtained from trusted sources.
- Keep applications (mentioned above) that use indefinite numbers of MOC3 files up to date.
Reporting defects and vulnerabilities
- Live2D Inc. is committed to developing and maintaining our products so that creators can peacefully engage in their creative work.
- If you encounter any defects or vulnerabilities in our product, please report them to us through our inquiry form.
Thank you for your understanding and cooperation.