CVE-2021-29059
Regular Expression Denial of Service (ReDoS) vulnerability in is-svg (npm)
What is CVE-2021-29059 About?
This is a Regular Expression Denial of Service (ReDoS) vulnerability in IS-SVG version 4.3.1 and below. It occurs when the application is provided with and checks a specially crafted invalid SVG string, leading to excessive resource consumption. The impact is a denial-of-service. Exploitation is relatively easy, requiring only a malicious SVG input.
Affected Software
Technical Details
A Regular Expression Denial of Service (ReDoS) vulnerability exists in IS-SVG version 4.3.1 and earlier. This vulnerability is triggered when the application processes and attempts to validate a specially crafted and invalid SVG string. The underlying regular expressions used by the 'IS-SVG' package to parse and validate SVG input exhibit poor performance characteristics (often polynomial or exponential complexity) with certain pathological inputs. When such a malicious string is fed to the functions, the regex engine consumes an inordinate amount of CPU cycles and memory due to excessive backtracking, leading to a denial-of-service condition where the application becomes unresponsive or crashes.
What is the Impact of CVE-2021-29059?
Successful exploitation may allow attackers to cause a denial-of-service condition by consuming excessive CPU resources, making the application unresponsive or crashing it.
What is the Exploitability of CVE-2021-29059?
Exploitation of this ReDoS vulnerability involves providing a specially crafted invalid SVG string to an application that uses the 'IS-SVG' library. The attacker needs to send an input string that specifically triggers the worst-case behavior of the vulnerable regular expressions. There are typically no authentication or privilege requirements, as the attack is against the parsing mechanism of user-supplied data. This is often a remote vulnerability, assuming the application processes SVG input from untrusted sources (e.g., file uploads, user-provided content). The complexity lies in crafting an SVG string that is both invalid and structured to cause the regex engine to backtrack pathologically. The likelihood of exploitation is higher if SVG content is commonly accepted and validated by the application.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-29059?
About the Fix from Resolved Security
The patch replaces a regex-based SVG validation with XML parsing using fast-xml-parser, ensuring the input is valid XML containing a top-level <svg> element rather than just matching <svg> tags in arbitrary strings. This fixes CVE-2021-29059 by preventing attackers from bypassing the previous regex and injecting non-SVG content that could be misidentified as SVG, thus closing a spoofing and potential XSS vector.
Available Upgrade Options
- is-svg
- >2.1.0, <4.3.0 → Upgrade to 4.3.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-r8j5-h5cx-65gg
- https://github.com/yetingli/PoCs/blob/main/CVE-2021-29059/IS-SVG.md
- https://nvd.nist.gov/vuln/detail/CVE-2021-29059
- https://github.com/yetingli/PoCs/blob/main/CVE-2021-29059/IS-SVG.md
- https://www.npmjs.com/package/is-svg
- https://github.com/yetingli/SaveResults/blob/main/js/is-svg.js
- https://github.com/sindresorhus/is-svg/releases/tag/v4.3.0
- https://www.npmjs.com/package/is-svg
- https://github.com/sindresorhus/is-svg/releases/tag/v4.3.0
- https://github.com/sindresorhus/is-svg
What are Similar Vulnerabilities to CVE-2021-29059?
Similar Vulnerabilities: CVE-2021-23343 , CVE-2020-28269 , CVE-2020-7610 , CVE-2019-10744 , CVE-2019-11358
