Vulnerabilites related to Facebook - WhatsApp Desktop for Windows
CVE-2023-38537 (GCVE-0-2023-38537)
Vulnerability from cvelistv5
Published
2023-10-04 19:09
Modified
2024-09-19 15:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A race condition in a network transport subsystem led to a heap use-after-free issue in established or unsilenced incoming audio/video calls that could have resulted in app termination or unexpected control flow with very low probability.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ► | WhatsApp Desktop for Mac |
Version: 0 ≤ |
|||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:46:56.022Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.whatsapp.com/security/advisories/2023/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-38537",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-19T15:27:15.314042Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T15:27:23.286Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "WhatsApp Desktop for Mac",
"vendor": "Facebook",
"versions": [
{
"lessThan": "2.2338.12",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "WhatsApp Desktop for Windows",
"vendor": "Facebook",
"versions": [
{
"lessThan": "2.2320.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "WhatsApp Business for iOS",
"vendor": "Facebook",
"versions": [
{
"lessThan": "2.23.10.77",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "WhatsApp for iOS",
"vendor": "Facebook",
"versions": [
{
"lessThan": "2.23.10.77",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "WhatsApp Business for Android",
"vendor": "Facebook",
"versions": [
{
"lessThan": "2.23.10.77",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "WhatsApp for Android",
"vendor": "Facebook",
"versions": [
{
"lessThan": "2.23.10.77",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"dateAssigned": "2023-07-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A race condition in a network transport subsystem led to a heap use-after-free issue in established or unsilenced incoming audio/video calls that could have resulted in app termination or unexpected control flow with very low probability."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-416, CWE-366",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-04T19:09:58.086Z",
"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"shortName": "facebook"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.whatsapp.com/security/advisories/2023/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"assignerShortName": "facebook",
"cveId": "CVE-2023-38537",
"datePublished": "2023-10-04T19:09:58.086Z",
"dateReserved": "2023-07-19T20:34:49.827Z",
"dateUpdated": "2024-09-19T15:27:23.286Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30401 (GCVE-0-2025-30401)
Vulnerability from cvelistv5
Published
2025-04-05 11:47
Modified
2025-04-09 17:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A spoofing issue in WhatsApp for Windows prior to version 2.2450.6 displayed attachments according to their MIME type but selected the file opening handler based on the attachment’s filename extension. A maliciously crafted mismatch could have caused the recipient to inadvertently execute arbitrary code rather than view the attachment when manually opening the attachment inside WhatsApp. We have not seen evidence of exploitation in the wild.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WhatsApp Desktop for Windows |
Version: 0.0.0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-30401",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-07T14:35:23.677082Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-07T18:30:10.813Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WhatsApp Desktop for Windows",
"vendor": "Facebook",
"versions": [
{
"lessThan": "2.2450.6",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"dateAssigned": "2025-03-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A spoofing issue in WhatsApp for Windows prior to version 2.2450.6 displayed attachments according to their MIME type but selected the file opening handler based on the attachment\u2019s filename extension. A maliciously crafted mismatch could have caused the recipient to inadvertently execute arbitrary code rather than view the attachment when manually opening the attachment inside WhatsApp. We have not seen evidence of exploitation in the wild."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-430",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-09T17:19:56.351Z",
"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"shortName": "facebook"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.facebook.com/security/advisories/cve-2025-30401"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.whatsapp.com/security/advisories/2025/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"assignerShortName": "facebook",
"cveId": "CVE-2025-30401",
"datePublished": "2025-04-05T11:47:54.836Z",
"dateReserved": "2025-03-21T19:52:56.084Z",
"dateUpdated": "2025-04-09T17:19:56.351Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-38538 (GCVE-0-2023-38538)
Vulnerability from cvelistv5
Published
2023-10-04 19:10
Modified
2024-09-19 15:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A race condition in an event subsystem led to a heap use-after-free issue in established audio/video calls that could have resulted in app termination or unexpected control flow with very low probability.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ► | WhatsApp Desktop for Mac |
Version: 0 ≤ |
|||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:46:56.586Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.whatsapp.com/security/advisories/2023/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-38538",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-19T15:27:40.316899Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T15:27:48.295Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "WhatsApp Desktop for Mac",
"vendor": "Facebook",
"versions": [
{
"lessThan": "2.2338.12",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "WhatsApp Desktop for Windows",
"vendor": "Facebook",
"versions": [
{
"lessThan": "2.2320.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "WhatsApp Business for iOS",
"vendor": "Facebook",
"versions": [
{
"lessThan": "2.23.10.77",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "WhatsApp for iOS",
"vendor": "Facebook",
"versions": [
{
"lessThan": "2.23.10.77",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "WhatsApp Business for Android",
"vendor": "Facebook",
"versions": [
{
"lessThan": "2.23.10.77",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "WhatsApp for Android",
"vendor": "Facebook",
"versions": [
{
"lessThan": "2.23.10.77",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"dateAssigned": "2023-07-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A race condition in an event subsystem led to a heap use-after-free issue in established audio/video calls that could have resulted in app termination or unexpected control flow with very low probability."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-416, CWE-366",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-04T19:10:49.627Z",
"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"shortName": "facebook"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.whatsapp.com/security/advisories/2023/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"assignerShortName": "facebook",
"cveId": "CVE-2023-38538",
"datePublished": "2023-10-04T19:10:49.627Z",
"dateReserved": "2023-07-19T20:34:49.827Z",
"dateUpdated": "2024-09-19T15:27:48.295Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}