Our response to the Cubism Core Vulnerability

Updated: 05/26/2023

This page is for Cubism version 4.2 or earlier. Click here for the latest version.

This page describes the vulnerability related to Live2D Cubism Core and how we are responding to it.

Please refer to the link below on the dangers and threats associated with the vulnerability.

Announcement regarding vulnerability in Live2D Cubism Core

Status of Support

Vulnerability Assessment Report (04/28/2023)

On March 8th, 2023, we entrusted an investigation to GMO Cybersecurity by Ierae, Inc., a security specialist company, and received the investigation report on April 20th. Please refer to the announcement below for details.

Announcement regarding vulnerability in Live2D Cubism Core

Product Updates (03/16/2023)

Cubism products updated to fix the file loading errors reported on Mar 14th.

Error Report(03/14/2023)

Some errors have been reported with the recently updated Cubism products, where some MOC3 files that use Blend Shapes with “Weight Limit for Blend Shapes” are unable to be loaded, despite being in the correct format.

If your MOC3 files cannot be loaded under any other conditions, or if the verification tool shows “Corrupted” for unknown reasons, please contact us via the inquiry form below.

Contact us

Verification Tool

MOC3 Consistency Checker

By loading MOC3 files into this tool, it can verify whether or not the file is in the correct format. It can also detect maliciously modified files.

For details, please refer to “Verification Tool”.

Fixed Version

The list below shows the products affected by the Cubism Core vulnerability and corresponding fixed versions that have addressed the vulnerability.

Product name

Fixed version

Release Date.

Cubism Editor
Cubism Viewer (for OW)

4.2.03_2
4.2.04 beta4

Published (03/16/2023).

Cubism SDK for Unity

R6_2Published (03/16/2023).

Cubism SDK for Native

R6_2Published (03/16/2023).

Cubism SDK for Java

R1 beta4Published (03/16/2023).

Cubism Viewer for Unity

1.4.7_2Published (03/16/2023).

Cubism AE Plugin

R8Published (03/17/2023).

Cubism SDK for Web

R6_2  *1Published (03/16/2023).
Cubism SDK for Cocos CreatorR1 beta2  *1Published (03/16/2023).

*1 There are no vulnerabilities, but an API is available to verify whether or not the MOC3 file is in the correct format.

Update

New!

[05/26/2023] : Added Vulnerability Assessment Report section for “Status of Support” .

 

[04/14/2023] : Fixed the problem that prevented MOC3 Consistency Checker ver. 1.00.02 from downloading properly.

[03/17/2023] : “Live2D Cubism 4 AE Plugin R8” countermeasure version published.

[03/16/2023] : MOC3 Consistency Checker ver.1.00.02 is now available.

[03/16/2023] : List of Live2D Cubism products and Fixed Version updated

[03/14/2023] : Added “Status of Support” section.

[03/14/2023] : “Cubism 4 SDK for Cocos Creator R1 beta 1” countermeasure version published.

[03/10/2023] : List of Live2D Cubism products and countermeasure versions published.

[03/10/2023] : [Mac] MOC3 Consistency Checker ver. 1.00.01 is now available.

[03/10/2023] : [Windows] MOC3 Consistency Checker ver. 1.00.01 is now available.

[03/09/2023] : [Windows] MOC3 Consistency Checker ver.1.00.00 released

Was this article helpful?
YesNo
Please let us know what you think about this article.