CVE-2023-27586
SSRF vulnerability in cairosvg (PyPI)
What is CVE-2023-27586 About?
CairoSVG is vulnerable to Server-Side Request Forgery (SSRF) and Denial of Service (DoS) through specially crafted SVG files. These vulnerabilities allow attackers to force the application to make requests to internal or external hosts, leading to internal network scanning, DoS attacks, or server hangs. Exploitation varies from easy (SSRF) to moderate (DoS).
Affected Software
- cairosvg
- <12d31c653c0254fa9d9853f66b04ea46e7397255
- <2.7.0
Technical Details
This vulnerability presents primarily as an SSRF (Server-Side Request Forgery) and multiple DoS (Denial of Service) issues in CairoSVG when processing SVG files. For SSRF, a crafted SVG file containing external resource links (e.g., <image xlink:href>, <style type="text/css">@import url(), <use href->) can coerce CairoSVG to make requests to specified URLs. This bypasses typical client-side controls, allowing attackers to scan internal networks, access restricted resources, or launch DoS attacks against external services. The DoS vulnerabilities manifest in two ways: (1) if CairoSVG is forced to make a request to a malicious server that delays its response or never responds, the CairoSVG process can hang indefinitely; and (2) if the SVG includes a reference to stdin (e.g., file:///dev/stdin on Linux), CairoSVG can enter a hang state as it waits for input, leading to resource exhaustion. The underlying mechanism is CairoSVG's unvalidated fetching of external resources referenced within SVG elements.
What is the Impact of CVE-2023-27586?
Successful exploitation may allow attackers to perform unauthorized network scanning, access internal resources, launch DDoS attacks, or cause application and server unresponsiveness leading to a denial of service.
What is the Exploitability of CVE-2023-27586?
Exploitation for SSRF is relatively easy, requiring only the creation of a malicious SVG file with external resource references. DoS exploitation, particularly the external server hang type, has moderate complexity due to requiring a controlled malicious server, while the stdin DoS is easy. No authentication or elevated privileges are required; an attacker simply needs to be able to submit a crafted SVG file to an application that uses CairoSVG for processing. This is typically a remote vulnerability, impacting systems that handle user-uploaded or externally sourced SVG content. Special conditions for DoS include the ability to control a remote server for indefinite holds or for the target system to be running on an OS where /dev/stdin is a viable hang vector. Risk factors are high for web applications that perform image processing, especially those that dynamically render SVG files from untrusted sources without strict input sanitization or network isolation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-27586?
About the Fix from Resolved Security
Available Upgrade Options
- cairosvg
- <12d31c653c0254fa9d9853f66b04ea46e7397255 → Upgrade to 12d31c653c0254fa9d9853f66b04ea46e7397255
- cairosvg
- <2.7.0 → Upgrade to 2.7.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/Kozea/CairoSVG/security/advisories/GHSA-rwmf-w63j-p7gv
- https://nvd.nist.gov/vuln/detail/CVE-2023-27586
- https://github.com/Kozea/CairoSVG/commit/12d31c653c0254fa9d9853f66b04ea46e7397255
- https://github.com/Kozea/CairoSVG/commit/33007d4af9195e2bfb2ff9af064c4c2d8e4b2b53
- https://github.com/Kozea/CairoSVG/commit/33007d4af9195e2bfb2ff9af064c4c2d8e4b2b53
- https://osv.dev/vulnerability/PYSEC-2023-9
- https://github.com/Kozea/CairoSVG/releases/tag/2.7.0
- https://github.com/Kozea/CairoSVG
- https://github.com/Kozea/CairoSVG/releases/tag/2.7.0
- https://github.com/Kozea/CairoSVG/commit/12d31c653c0254fa9d9853f66b04ea46e7397255
What are Similar Vulnerabilities to CVE-2023-27586?
Similar Vulnerabilities: CVE-2020-25211 , CVE-2020-25212 , CVE-2021-22927 , CVE-2021-39294 , CVE-2022-26369
