We sincerely apologize for causing concern regarding the vulnerability currently reported in Live2D Cubism Core(SDK).
We would like to provide a detailed report on the risks of this vulnerability and the associated threats.
New! (additional updates)
- Product Updates (March 17, 2023).
・Cubism 4 AE Plugin R8
- Product Updates (March 16, 2023).
・Cubism Editor 4.2.03_2
・Cubism Editor 4.2.04 beta4
・Cubism 4 SDK for Unity R6_2
・Cubism 4 SDK for Native R6_2
・Cubism 4 SDK for Web R6_2
・Cubism 4 SDK for Java R1 beta4
・Cubism 4 SDK for Cocos Creator R1 beta2
・Cubism Viewer for Unity 1.4.7_2
・Cubism MOC3 Consistency Checker 1.00.02
- Error Report (March 14, 2023).
Some errors have been reported with the recently updated Cubism products, where some MOC3 files that use Blend Shapes with “Weight Limit for Blend Shapes” are unable to be loaded, despite being in the correct format.
- We have released product updates that address the Cubism Core vulnerability. (March 10, 2023).
・Live2D Cubism Editor 4.2.03_1
・Live2D Cubism Editor 4.2.04 beta3
・Live2D Cubism 4 SDK for Unity R6_1
・Live2D Cubism 4 SDK for Native R6_1
・Live2D Cubism 4 SDK for Web R6_1
・Live2D Cubism 4 SDK for Java R1 beta3
・Live2D Cubism Viewer for Unity 1.4.7_1
- MOC3 Consistency Checker 1.00.00 has been released (March 10, 2023).
- MOC3 Consistency Checker 1.00.00 has been released (March 9, 2023).
By loading MOC3 files into this tool, it can verify whether or not the file is in the correct format. It can also detect maliciously modified files.
【Download & How to Use】
Details of the vulnerability:
This vulnerability occurs when an application runs a maliciously modified MOC3 file.
Having the modified MOC3 file loaded into the target Cubism Core may cause out-of-range memory writes and crash the application. At this time, we assume that there are only a limited number of types of data that are written out of memory range and that malicious code is unlikely to be executed arbitrarily. Nevertheless, we will start a verification of this issue with the advice from external security experts.
We plan to prepare a version that fixes this vulnerability within a few days and share it with the affected applications (listed below).
Users can continue to use MOC3 files that they have created themselves or obtained from trusted sources with peace of mind.
Scope of impact:
The scope of impact of this issue includes the following.
- Some features after Cubism Editor 4.2.00 beta1
- Embedded model track
- Relative Cubism SDK
- Cubism SDK for Unity
- Cubism SDK for Native
- Cubism SDK for Java
- Applications that use the relative Cubism SDK
- Cubism Viewer for OW
- Cubism Viewer for Unity
- Expandable Applications (Applications that can read any MOC3 file, including nizima LIVE and various tracking software for VTuber)
To prevent damage
To prevent damage from MOC3 files that have been maliciously modified, users should take the following precautions.
- Do not open MOC3 files from unknown sources.
- Open MOC3 files obtained from trusted sources.
- Keep applications (mentioned above) that use indefinite numbers of MOC3 files up to date.
Reporting defects and vulnerabilities
- Live2D Inc. is committed to developing and maintaining our products so that creators can peacefully engage in their creative work.
- If you encounter any defects or vulnerabilities in our product, please report them to us through our inquiry form.
Thank you for your understanding and cooperation.