CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
EPSS
Percentile
48.7%
When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS).
If an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time.
The vulnerable regular expressions are
The section between ‘rgb(’ and the final ‘)’ contains multiple overlapping groups.
Since all three infinitely repeating groups accept spaces, a long string of spaces causes catastrophic backtracking when it is not followed by a closing parenthesis.
The complexity is cubic, so doubling the length of the malicious string of spaces makes processing take 8 times as long.
Create a malicious SVG of the form:
<svg width="1" height="1"><rect fill="rgb( ;"/></svg>
with the following code:
'<svg width="1" height="1"><rect fill="rgb(' + (' ' * 3456) + ';"/></svg>'
Note that there is no closing parenthesis before the semi-colon.
Run cairosvg e.g.:
cairosvg cairo-redos.svg -o x.png
and notice that it hangs at 100% CPU. Increasing the number of spaces increases the processing time with cubic complexity.
Fix the regexes to avoid overlapping parts. Perhaps remove the [ \n\r\t]* groups from the regex, and use .strip() on the returned capture group.
Vendor | Product | Version | CPE |
---|---|---|---|
courtbouillon | cairosvg | * | cpe:2.3:a:courtbouillon:cairosvg:*:*:*:*:*:*:*:* |
github.com/advisories/GHSA-hq37-853p-g5cf
github.com/Kozea/CairoSVG/commit/cfc9175e590531d90384aa88845052de53d94bf3
github.com/Kozea/CairoSVG/releases/tag/2.5.1
github.com/Kozea/CairoSVG/security/advisories/GHSA-hq37-853p-g5cf
github.com/pypa/advisory-database/tree/main/vulns/cairosvg/PYSEC-2021-5.yaml
nvd.nist.gov/vuln/detail/CVE-2021-21236
pypi.org/project/CairoSVG
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
EPSS
Percentile
48.7%