PT-2022-16690 · Unknown · Convert-Svg-Core

Donggyu Kim

Published

2022-06-10

Updated

2022-06-17

CVE-2022-24429

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions convert-svg-core versions prior to 0.6.3

Description The issue allows for Arbitrary Code Injection when a specially crafted SVG file is used. An attacker can read arbitrary files from the file system and then display the file content as a converted PNG file.

Recommendations For versions prior to 0.6.3, update to version 0.6.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of specially crafted SVG files until a patch is applied. Avoid using the convert-svg-core package with untrusted SVG files until the issue is resolved.

Exploit

Fix

Special Elements Injection

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-94

Related Identifiers

CVE-2022-24429

GHSA-54PX-MHWV-5V8X

SNYK-JS-CONVERTSVGCORE-2859212

Affected Products

Convert-Svg-Core

PT-2022-16690 · Unknown · Convert-Svg-Core

CVE-2022-24429

Weakness Enumeration

Related Identifiers

Affected Products

References · 8