CVE-2023-27586

Name of the Vulnerable Software and Affected Versions CairoSVG versions prior to 2.7.0

Description CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to version 2.7.0, Cairo can send requests to external hosts when processing SVG files. A malicious actor could send a specially crafted SVG file that allows them to perform a server-side request forgery or denial of service.

The issue is related to insufficient validation of incoming requests when processing SVG files, which can be exploited by a remote attacker to perform SSRF attacks or cause a denial of service.

Technical details about exploitation include the use of specially crafted SVG files that load external resources from URLs, which can cause the server to hang or allow an attacker to scan an organization's internal resources.

Recommendations For versions prior to 2.7.0, update to version 2.7.0 or later to disable CairoSVG's ability to access other files online by default. As a temporary workaround, consider restricting access to external resources or disabling the ability to load external files in CairoSVG until a patch is available.