Our response to the Cubism Core Vulnerability
Updated: 05/26/2023
This page describes the vulnerability related to Live2D Cubism Core and how we are responding to it.
Please refer to the link below on the dangers and threats associated with the vulnerability.
Announcement regarding vulnerability in Live2D Cubism Core
Status of Support
Vulnerability Assessment Report (04/28/2023)
On March 8th, 2023, we entrusted an investigation to GMO Cybersecurity by Ierae, Inc., a security specialist company, and received the investigation report on April 20th. Please refer to the announcement below for details.
Announcement regarding vulnerability in Live2D Cubism Core
Product Updates (03/16/2023)
Cubism products updated to fix the file loading errors reported on Mar 14th.
Error Report(03/14/2023)
Some errors have been reported with the recently updated Cubism products, where some MOC3 files that use Blend Shapes with “Weight Limit for Blend Shapes” are unable to be loaded, despite being in the correct format.
If your MOC3 files cannot be loaded under any other conditions, or if the verification tool shows “Corrupted” for unknown reasons, please contact us via the inquiry form below.
Verification Tool
MOC3 Consistency Checker
By loading MOC3 files into this tool, it can verify whether or not the file is in the correct format. It can also detect maliciously modified files.
For details, please refer to “Verification Tool”.
Fixed Version
The list below shows the products affected by the Cubism Core vulnerability and corresponding fixed versions that have addressed the vulnerability.
Product name | Fixed version | Release Date. |
4.2.03_2 | Published (03/16/2023). | |
R6_2 | Published (03/16/2023). | |
R6_2 | Published (03/16/2023). | |
R1 beta4 | Published (03/16/2023). | |
1.4.7_2 | Published (03/16/2023). | |
R8 | Published (03/17/2023). | |
R6_2 *1 | Published (03/16/2023). | |
Cubism SDK for Cocos Creator | R1 beta2 *1 | Published (03/16/2023). |
*1 There are no vulnerabilities, but an API is available to verify whether or not the MOC3 file is in the correct format.
Update
New!
[05/26/2023] : Added Vulnerability Assessment Report section for “Status of Support” .
[04/14/2023] : Fixed the problem that prevented MOC3 Consistency Checker ver. 1.00.02 from downloading properly.
[03/17/2023] : “Live2D Cubism 4 AE Plugin R8” countermeasure version published.
[03/16/2023] : MOC3 Consistency Checker ver.1.00.02 is now available.
[03/16/2023] : List of Live2D Cubism products and Fixed Version updated
[03/14/2023] : Added “Status of Support” section.
[03/14/2023] : “Cubism 4 SDK for Cocos Creator R1 beta 1” countermeasure version published.
[03/10/2023] : List of Live2D Cubism products and countermeasure versions published.
[03/10/2023] : [Mac] MOC3 Consistency Checker ver. 1.00.01 is now available.
[03/10/2023] : [Windows] MOC3 Consistency Checker ver. 1.00.01 is now available.
[03/09/2023] : [Windows] MOC3 Consistency Checker ver.1.00.00 released