Our response to the Cubism Core Vulnerability
Updated: 08/17/2023
This section describes the vulnerabilities related to Live2D Cubism Core and how to address them.
Please see below for a description of the dangers and threats associated with the vulnerabilities in question.
Announcement regarding vulnerability in Live2D Cubism Core
Status of support
Report on the survey (04/28/2023)
On March 8, 2023, we requested a survey from GMO Cybersecurity by Ierae, Inc., a company specializing in security.
We have received the investigation report on this vulnerability as of April 20 of the same year and have included the details in the following notice.
Announcement regarding vulnerability in Live2D Cubism Core
Announcement regarding product update (03/16/2023)
We have updated the product to correct the problem we announced on March 14.
Notice of defect (03/14/2023)
The following MOC3 files cannot be read in the various products released recently, even though they are in the correct format.
• Some MOC3 files that use the blend shape and have “Limit Settings for Blend Shape Weights”
If you are unable to read MOC3 files under conditions other than those described above, or if you receive a “Corrupted” message in the verification tool even though you do not remember the problem, please contact us using the following link.
Verification Tool
MOC3 Consistency Checker
By loading a MOC3 file into this tool, you can determine that the file is in the correct format.
It is also possible to determine that the file has been illegally modified.
See “Verification Tool” for more information.
Versions with countermeasures
The affected products and the versions that have been addressed regarding the vulnerability in Live2D Cubism Core are as follows.
| Product name | Version in which countermeasures are available (and will continue to be supported thereafter) |
| Cubism Editor Cubism Viewer (for OW) | 4.2.03_2 4.2.04 beta4 |
| Cubism SDK for Unity | R6_2 |
| Cubism SDK for Native | R6_2 |
| Cubism SDK for Java | R1 beta4 |
| Cubism Viewer for Unity | 1.4.7_2 |
| Cubism AE Plugin | R8 |
| Cubism SDK for Web | R6_2 (Note 1) |
| Cubism SDK for Cocos Creator | R1 beta2 (Note 1) |
Note 1: There is no vulnerability, but an API is available to verify that the MOC3 file is in the correct format.
Update Information
New!
[08/17/2023]: MOC3 Consistency Checker ver. 1.00.03 is now available.
[04/28/2023]: Added a survey report to the “Status of support” section.
[04/14/2023]: Fixed a bug that prevented MOC3 Consistency Checker ver. 1.00.02 from being downloaded properly.
[03/17/2023]: Added “Live2D Cubism 4 AE Plugin R8” to the versions with countermeasures.
[03/16/2023]: MOC3 Consistency Checker ver. 1.00.02 is now available.
[03/16/2023]: Updated the lists of Live2D Cubism products and their versions with countermeasures.
[03/14/2023]: Added items in the “Status of support” section.
[03/14/2023]: Added “Cubism 4 SDK for Cocos Creator R1 beta 1” to the versions with countermeasures.
[03/10/2023]: The lists of Live2D Cubism products and their versions with countermeasures are now available.
[03/10/2023]: [Mac] MOC3 Consistency Checker ver. 1.00.01 is now available.
[03/10/2023]: [Windows] MOC3 Consistency Checker ver. 1.00.01 is now available.
[03/09/2023]: [Windows] MOC3 Consistency Checker ver. 1.00.00 is now available.