CVE-2021-21236

Name of the Vulnerable Software and Affected Versions: CairoSVG versions prior to 2.5.1

Description: The issue is related to a regular expression denial of service (REDoS) vulnerability in CairoSVG, a Python package used for converting SVG files. When processing SVG files, CairoSVG uses two regular expressions that are vulnerable to Regular Expression Denial of Service (REDoS). If an attacker provides a malicious SVG, it can cause CairoSVG to get stuck processing the file for a very long time. The vulnerability is caused by the complexity of the regular expressions, which can lead to catastrophic backtracking when processing a long string of spaces. The complexity is cubic, meaning that doubling the length of the malicious string of spaces makes processing take 8 times as long.

Recommendations: For versions prior to 2.5.1, update to version 2.5.1 or later to fix the regular expression denial of service (REDoS) vulnerability. As a temporary workaround, consider avoiding the use of the vulnerable regular expressions in the colors.py file until a patch is available. Restrict access to the cairosvg package to minimize the risk of exploitation. Avoid using malicious SVG files that can cause the package to get stuck processing the file for a very long time.