PT-2023-31509 · Unknown · Php-Svg-Lib

Cod3Beat

Published

2023-12-12

Updated

2024-03-20

CVE-2023-50251

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions php-svg-lib versions prior to 0.5.1

Description The issue arises when parsing attributes passed to a use tag inside an SVG document, allowing an attacker to cause the system to go into infinite recursion. This could exhaust the memory available to the executing process and/or the server itself, potentially leading to resource exhaustion if multiple requests are sent to render the payload.

Recommendations For versions prior to 0.5.1, update to version 0.5.1 to resolve the issue. As a temporary workaround, consider restricting the parsing of use tags with href or xlink:href attributes to prevent infinite recursion.

Exploit

Fix

Uncontrolled Recursion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-674

Related Identifiers

CVE-2023-50251

DSA-5642-1

GHSA-FF5X-7QG5-VWF2

Affected Products

Php-Svg-Lib

PT-2023-31509 · Unknown · Php-Svg-Lib

CVE-2023-50251

Weakness Enumeration

Related Identifiers

Affected Products

References · 12