CVE-2026-31899

Name of the Vulnerable Software and Affected Versions CairoSVG versions prior to 2.9.0

Description CairoSVG is an SVG converter based on Cairo, a 2D graphics library. A denial of service can occur due to recursive <use> element amplification within the cairosvg/defs.py file, specifically in the use() function. This amplification leads to CPU exhaustion even from a small input file. A 1,411-byte SVG payload can pin the CPU at 100% indefinitely. The issue arises from the recursive processing of <use> elements without depth or count limits. The amplification factor is O(10^N) rendering calls from O(N) input.

Recommendations Update CairoSVG to version 2.9.0 or later. As a temporary workaround, consider limiting the recursion depth within the use() function to prevent excessive CPU usage.