Live2D Recognizes Security Flaws in Cubism Core SDK

Live2D: "We will release a version that fixes this vulnerability within a few days."

Popular animation software Live2D has released a statement recognizing the security flaws in its software development kit (SDK) Cubism Core. This follows a full disclosure by Ronsor Labs published on March 3 detailing the vulnerability of said SDK.

This vulnerability is recorded in the database of Common Vulnerabilities and Exposures (CVE) under CVE-2023-27566.

In an email correspondence to NewsDrop, a representative from Live2D said that they became aware of the issue yesterday (March 6 JST), and they released their statement after an internal investigation within the day, with an English translation posted the following day.

  • According to them, the vulnerability occurs when an application runs a maliciously modified MOC3 file, the file type of Live2D Cubism’s model data.
  • Said vulnerability is said to impact several of Live2D’s Cubism features, including in the Cubism Editor 4.2.00 beta1, where an embedded model track is added. Moreover, Relative Cubism SDK for Unity, Native, and Java are also affected.
  • As an advice, Live2D warned users to not open MOC3 files from unknown sources, and only open those who are trusted.
“Having the modified MOC3 file loaded into the target Cubism Core may cause out-of-range memory writes and crash the application. At this time, we assume that there are only a limited number of types of data that are written out of memory range and that malicious code is unlikely to be executed arbitrarily. Nevertheless, we will start a verification of this issue with the advice from external security experts.”

The company is communicating with stakeholders who may be affected by the vulnerability and is working further ensure that users can peacefully engage in their creative work. Follow-up announcements will be posted timely on Twitter.

VTubers compose 70% of Live2D Cubism Pro users, as per a 2021 keynote, followed by games, applications and animation works.

Update: Live2D has released a MOC3 Consistency Checker, which allows users if the file has been modified illegally.

Banner Photo: Live2D on YouTube