CVE-2024-25117

Name of the Vulnerable Software and Affected Versions php-svg-lib versions prior to 0.5.2

Description The issue is related to the failure of php-svg-lib to validate that the font-family does not contain a PHAR url, which may lead to remote code execution (RCE) on PHP versions less than 8.0. Additionally, it does not validate if external references are allowed, potentially leading to bypass of restrictions or RCE on projects using this library if they do not strictly revalidate the fontName passed by php-svg-lib. The Style::fromAttributes() and Style::parseCssStyle() functions should check the content of the font-family to prevent the use of a PHAR url. Libraries using php-svg-lib as a dependency might be vulnerable to some bypass of restrictions or even RCE if they do not double check the value of the fontName passed by php-svg-lib.

Recommendations For versions prior to 0.5.2, update to version 0.5.2 or later to resolve the issue. As a temporary workaround, consider adding a check in the Style::fromAttributes() and Style::parseCssStyle() functions to prevent the use of a PHAR url in the font-family style. Restrict access to the fontName value passed by php-svg-lib to minimize the risk of exploitation. Avoid using the font-family style with untrusted input until the issue is resolved.