opencv-python icon indicating copy to clipboard operation
opencv-python copied to clipboard
verified publisher icon opencv

FFmpeg OSS vulnerability CVE-2023-6605

Open ktnvda opened this issue 6 months ago • 8 comments

In doing an open source scan on the latest opencv 4.11.0.86 from pypi , opencv-python-headless, the scanner detected FFmpeg with the following versions that have vulnerable versions with CVE-2023-6605:

  • /opencv_python_headless.libs/libavcodec.so with FFmpeg version n5.1.6
  • /cv2/opencv_videoio_ffmpeg4110_.dll version n4.4.5

Can FFmpeg be updated to the latest?

ktnvda avatar Jul 03 '25 23:07 ktnvda

The issue has not bin fixed in the upstream repo (FFmpeg) and still open. Nothing we can do on our side today.

asmorkalov avatar Jul 04 '25 12:07 asmorkalov

Thank you for letting me know. I have emailed the ffmpeg security team to report this vulnerability to them. Currently I don't see it fixed on their security fixes page

ktnvda avatar Jul 29 '25 15:07 ktnvda

@asmorkalov I worked with the FFmpeg maintainer(s) and they appeared to have patched CVE-2023-6605 in FFmpeg release version 7.1.1. See their security updates page here that mentions that this CVE is fixed in FFmpeg 7.1.1. Can OpenCV implement this fix?

ktnvda avatar Aug 04 '25 15:08 ktnvda

ping @asmorkalov

ktnvda avatar Aug 08 '25 18:08 ktnvda

ok, will update with the next release cycle. We usually do not publish a new binaries each time, when some CVE reported to 3rd party. We have to rebuild binaries too often.

asmorkalov avatar Aug 11 '25 08:08 asmorkalov

@asmorkalov Just checking back on this. Has there been an update with this fix in it?

ktnvda avatar Sep 25 '25 00:09 ktnvda

@asmorkalov just checking in on the status of this security fix. Any estimate of when the next release will include this security fix?

ktnvda avatar Nov 12 '25 23:11 ktnvda

The next release to Xmas time frame.

asmorkalov avatar Nov 13 '25 08:11 asmorkalov