[BUG] Bump libpng in Skia deps to ≥ 1.6.51 (CVE-2025-64505, CVE-2025-64506 , CVE-2025-64720 , CVE-2025-65018)

[pkedalag]

Description

https://nvd.nist.gov/vuln/detail/CVE-2025-64505
https://nvd.nist.gov/vuln/detail/CVE-2025-64506
https://nvd.nist.gov/vuln/detail/CVE-2025-64720
http://nvd.nist.gov/vuln/detail/CVE-2025-65018

affects libpng < 1.6.51 . Request to update third_party/libpng to 1.6.51+ and rebuild Skia so downstream native assets like SkiaSharp do not contain the vulnerable libpng.

Code

.

Expected Behavior

No response

Actual Behavior

No response

Version of SkiaSharp

2.88.9 (Previous)

Last Known Good Version of SkiaSharp

Other (Please indicate in the description)

IDE / Editor

Visual Studio Code (Windows)

Platform / Operating System

Windows

Platform / Operating System Version

No response

Devices

No response

Relevant Screenshots

No response

Relevant Log Output

Code of Conduct

• I agree to follow this project's Code of Conduct

[github-actions]

Triage Summary

Labels will be applied to indicate the affected platform (Windows Classic) and the specific area of the issue (libSkiaSharp.native).

This issue is not a regression as it primarily concerns a security vulnerability regarding a library update rather than impacting existing functionality.

Additional remarks:

• There is no indication this issue is related to performance, reliability, or compatibility with previous versions of SkiaSharp.
• The issue solely pertains to a bug involving the libpng dependency update without impacting graphics rendering backends.

Detailed Summary and Actions

Summary of the triage:

• The issue is confirmed to occur in the Visual Studio Code environment on Windows, indicating a need for the Windows Classic label.
• The primary focus is the updating of the libpng dependency which relates to the SkiaSharp native library components.
• There are no concerns regarding performance or compatibility, as the issue is about an update due to a security vulnerability.

Summary of the actions that will be performed:

Action	Item	Description
Apply Label	os/Windows-Classic	The issue specifically mentions that it occurs in the Visual Studio Code environment on Windows.
Apply Label	area/libSkiaSharp.native	The issue relates to updating the libpng dependency in Skia, which directly involves the native library components of SkiaSharp.

This entire triage process was automated by AI and mistakes may have been made. Please let us know so we can continue to improve.

[skaveva]

We are also seeing the similar issue.