Vulnerability-Lookup

CVE-2023-50251 (GCVE-0-2023-50251)

Vulnerability from cvelistv5 – Published: 2023-12-12 20:37 – Updated: 2025-05-22 18:38

Title

php-svg-lib possible DoS caused by infinite recursion when parsing SVG document

Summary

php-svg-lib is an SVG file parsing / rendering library. Prior to version 0.5.1, when parsing the attributes passed to a `use` tag inside an svg document, an attacker can cause the system to go to an infinite recursion. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself. An attacker sending multiple request to a system to render the above payload can potentially cause resource exhaustion to the point that the system is unable to handle incoming request. Version 0.5.1 contains a patch for this issue.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-674 - Uncontrolled Recursion

Assigner

GitHub_M

References

URL

Tags

	https://github.com/dompdf/php-svg-lib/security/ad…	x_refsource_CONFIRM
	https://github.com/dompdf/php-svg-lib/commit/8816…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	dompdf	php-svg-lib	Affected: < 0.5.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T22:16:46.252Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-ff5x-7qg5-vwf2",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-ff5x-7qg5-vwf2"
          },
          {
            "name": "https://github.com/dompdf/php-svg-lib/commit/88163cbe562d9b391b3a352e54d9c89d02d77ee0",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/dompdf/php-svg-lib/commit/88163cbe562d9b391b3a352e54d9c89d02d77ee0"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-50251",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-22T18:38:09.177526Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-22T18:38:53.226Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "php-svg-lib",
          "vendor": "dompdf",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.5.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "php-svg-lib is an SVG file parsing / rendering library. Prior to version 0.5.1, when parsing the attributes passed to a `use` tag inside an svg document, an attacker can cause the system to go to an infinite recursion. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself. An attacker sending multiple request to a system to render the above payload can potentially cause resource exhaustion to the point that the system is unable to handle incoming request. Version 0.5.1 contains a patch for this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-674",
              "description": "CWE-674: Uncontrolled Recursion",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-12T20:37:23.035Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-ff5x-7qg5-vwf2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-ff5x-7qg5-vwf2"
        },
        {
          "name": "https://github.com/dompdf/php-svg-lib/commit/88163cbe562d9b391b3a352e54d9c89d02d77ee0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/dompdf/php-svg-lib/commit/88163cbe562d9b391b3a352e54d9c89d02d77ee0"
        }
      ],
      "source": {
        "advisory": "GHSA-ff5x-7qg5-vwf2",
        "discovery": "UNKNOWN"
      },
      "title": "php-svg-lib possible DoS caused by infinite recursion when parsing SVG document"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-50251",
    "datePublished": "2023-12-12T20:37:23.035Z",
    "dateReserved": "2023-12-05T20:42:59.377Z",
    "dateUpdated": "2025-05-22T18:38:53.226Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-ff5x-7qg5-vwf2\", \"name\": \"https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-ff5x-7qg5-vwf2\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/dompdf/php-svg-lib/commit/88163cbe562d9b391b3a352e54d9c89d02d77ee0\", \"name\": \"https://github.com/dompdf/php-svg-lib/commit/88163cbe562d9b391b3a352e54d9c89d02d77ee0\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T22:16:46.252Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-50251\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-22T18:38:09.177526Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-22T18:38:47.351Z\"}}], \"cna\": {\"title\": \"php-svg-lib possible DoS caused by infinite recursion when parsing SVG document\", \"source\": {\"advisory\": \"GHSA-ff5x-7qg5-vwf2\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"dompdf\", \"product\": \"php-svg-lib\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.5.1\"}]}], \"references\": [{\"url\": \"https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-ff5x-7qg5-vwf2\", \"name\": \"https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-ff5x-7qg5-vwf2\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/dompdf/php-svg-lib/commit/88163cbe562d9b391b3a352e54d9c89d02d77ee0\", \"name\": \"https://github.com/dompdf/php-svg-lib/commit/88163cbe562d9b391b3a352e54d9c89d02d77ee0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"php-svg-lib is an SVG file parsing / rendering library. Prior to version 0.5.1, when parsing the attributes passed to a `use` tag inside an svg document, an attacker can cause the system to go to an infinite recursion. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself. An attacker sending multiple request to a system to render the above payload can potentially cause resource exhaustion to the point that the system is unable to handle incoming request. Version 0.5.1 contains a patch for this issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-674\", \"description\": \"CWE-674: Uncontrolled Recursion\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-12-12T20:37:23.035Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-50251\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-22T18:38:53.226Z\", \"dateReserved\": \"2023-12-05T20:42:59.377Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-12-12T20:37:23.035Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-FF5X-7QG5-VWF2

Vulnerability from github – Published: 2023-12-13 13:32 – Updated: 2023-12-13 13:32

Summary

Denial of service caused by infinite recursion when parsing SVG document

Details

Summary

When parsing the attributes passed to a use tag inside an svg document, we can cause the system to go to an infinite recursion. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself.

Details

Inside Svg\Tag\UseTag::before, php-svg-lib parses the attributes passed to an use tag inside an svg document. When it finds a href or xlink:href, it will try to retrieve the object representing this tag:

$link = $attributes["href"] ?? $attributes["xlink:href"];
$this->reference = $document->getDef($link);

if ($this->reference) {
    $this->reference->before($attributes);
}

$document->getDef is implemented as follow:

public function getDef($id) {
    $id = ltrim($id, "#");

    return isset($this->defs[$id]) ? $this->defs[$id] : null;
}

Note: the $id in the above method is actually the link being used in use tag. This part is important, because this behaviour here actually leads to the vulnerability. It will be mentioned later on in this report.

If it finds the referenced object, it will try to call the before method on the referenced object (this is still inside Svg\Tag\UseTag::before) :

if ($this->reference) {
    $this->reference->before($attributes);
}

In order to cause an infinte loop, we need to be able to control the $id used in the $this->defs[$id] code above. This defs property (Svg\Document::defs) is being populated when Svg\Document::_tagStart is called. This is the handler being used when the php-svg-lib is parsing the svg structure:

// Svg\Document line 343
if ($tag) {
    if (isset($attributes["id"])) {
        $this->defs[$attributes["id"]] = $tag;
    }
    else {
        // ...
    }

    // ...
}

So if the use tag contains an id, then that use tag will be added to the $defs array with it's id as the key.

Now as noted before, when there is a link inside the use tag, the library uses that link as the id to actually find the object or tag that has been added to the Svg\Document::defs.

So if the id attribute is equal to the link attribute inside the use tag, then the referenced object (in this case it is the Use tag object) will be called recursively until the memory given to the script is exhausted.

PoC

This is an example svg file that can be used to demonstrate the vulnerability.

<svg width="200" height="200"
  xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
  <use id="selfref" xlink:href="#selfref" />
</svg>

Impact

When the lib parses the above payload, it will crash:

PHP Fatal error:  Allowed memory size of 536870912 bytes exhausted (tried to allocate 262144 bytes) in /xxx/dompdf/vendor/phenx/php-svg-lib/src/Svg/Tag/UseTag.php on line 37

An attacker sending multiple request to a system to render the above payload can potentially cause resource exhaustion to the point that the system is unable to handle incoming request.

Severity ?

5.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phenx/php-svg-lib"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-50251"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-13T13:32:21Z",
    "nvd_published_at": "2023-12-12T21:15:08Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nWhen parsing the attributes passed to a `use` tag inside an svg document, we can cause the system to go to an infinite recursion. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself.\n\n### Details\nInside `Svg\\Tag\\UseTag::before`, php-svg-lib parses the attributes passed to an `use` tag inside an svg document. When it finds a `href` or `xlink:href`, it will try to retrieve the object representing this tag:\n\n```\n$link = $attributes[\"href\"] ?? $attributes[\"xlink:href\"];\n$this-\u003ereference = $document-\u003egetDef($link);\n\nif ($this-\u003ereference) {\n    $this-\u003ereference-\u003ebefore($attributes);\n}\n```\n\n`$document-\u003egetDef` is implemented as follow:\n\n```\npublic function getDef($id) {\n    $id = ltrim($id, \"#\");\n\n    return isset($this-\u003edefs[$id]) ? $this-\u003edefs[$id] : null;\n}\n```\n\n_Note:_ the `$id` in the above method is actually the _link_ being used in `use` tag. This part is important, because this behaviour  here actually leads to the vulnerability. It will be mentioned later on in this report.\n\nIf it finds the referenced object, it will try to call the `before` method on the referenced object (this is still inside `Svg\\Tag\\UseTag::before`) :\n\n```\nif ($this-\u003ereference) {\n    $this-\u003ereference-\u003ebefore($attributes);\n}\n```\n\nIn order to cause an infinte loop, we need to be able to control the `$id` used in the `$this-\u003edefs[$id]` code above. This `defs` property (`Svg\\Document::defs`) is being populated when `Svg\\Document::_tagStart` is called. This is the handler being used when the php-svg-lib is parsing the svg structure:\n\n```\n// Svg\\Document line 343\nif ($tag) {\n    if (isset($attributes[\"id\"])) {\n        $this-\u003edefs[$attributes[\"id\"]] = $tag;\n    }\n    else {\n        // ...\n    }\n\n    // ...\n}\n```\n\nSo if the `use` tag contains an `id`, then that `use` tag will be added to the `$defs` array with it\u0027s `id` as the key.\n\nNow as noted before, when there is a link inside the `use` tag, the library uses that link as the `id` to actually find the object or `tag` that has been added to the `Svg\\Document::defs`.\n\nSo if the `id` attribute is equal to the link attribute inside the `use` tag, then the referenced object (in this case it is the `Use` tag object) will be called recursively until the memory given to the script is exhausted.\n\n### PoC\n\nThis is an example svg file that can be used to demonstrate the vulnerability.\n\n```\n\u003csvg width=\"200\" height=\"200\"\n  xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\"\u003e\n  \u003cuse id=\"selfref\" xlink:href=\"#selfref\" /\u003e\n\u003c/svg\u003e\n```\n\n### Impact\n\nWhen the lib parses the above payload, it will crash:\n\n```\nPHP Fatal error:  Allowed memory size of 536870912 bytes exhausted (tried to allocate 262144 bytes) in /xxx/dompdf/vendor/phenx/php-svg-lib/src/Svg/Tag/UseTag.php on line 37\n```\n\nAn attacker sending multiple request to a system to render the above payload can potentially cause resource exhaustion to the point that the system is unable to handle incoming request.",
  "id": "GHSA-ff5x-7qg5-vwf2",
  "modified": "2023-12-13T13:32:21Z",
  "published": "2023-12-13T13:32:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-ff5x-7qg5-vwf2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50251"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dompdf/php-svg-lib/commit/88163cbe562d9b391b3a352e54d9c89d02d77ee0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dompdf/php-svg-lib"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Denial of service caused by infinite recursion when parsing SVG document"
}

FKIE_CVE-2023-50251

Vulnerability from fkie_nvd - Published: 2023-12-12 21:15 - Updated: 2024-11-21 08:36

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/dompdf/php-svg-lib/commit/88163cbe562d9b391b3a352e54d9c89d02d77ee0	Patch
security-advisories@github.com	https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-ff5x-7qg5-vwf2	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/dompdf/php-svg-lib/commit/88163cbe562d9b391b3a352e54d9c89d02d77ee0	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-ff5x-7qg5-vwf2	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	dompdf	php-svg-lib	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:dompdf:php-svg-lib:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F1E345BA-6667-40EB-AF3F-E279441B6C90",
              "versionEndExcluding": "0.5.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "php-svg-lib is an SVG file parsing / rendering library. Prior to version 0.5.1, when parsing the attributes passed to a `use` tag inside an svg document, an attacker can cause the system to go to an infinite recursion. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself. An attacker sending multiple request to a system to render the above payload can potentially cause resource exhaustion to the point that the system is unable to handle incoming request. Version 0.5.1 contains a patch for this issue."
    },
    {
      "lang": "es",
      "value": "php-svg-lib es una librer\u00eda de an\u00e1lisis/representaci\u00f3n de archivos SVG. Antes de la versi\u00f3n 0.5.1, al analizar los atributos pasados a una etiqueta \"use\" dentro de un documento svg, un atacante pod\u00eda hacer que el sistema entrara en una recursividad infinita. Dependiendo de la configuraci\u00f3n del sistema y del patr\u00f3n de ataque, esto podr\u00eda agotar la memoria disponible para el proceso en ejecuci\u00f3n y/o para el propio servidor. Un atacante que env\u00eda m\u00faltiples solicitudes a un sistema para representar el payload anterior puede potencialmente causar el agotamiento de los recursos hasta el punto de que el sistema no pueda manejar la solicitud entrante. La versi\u00f3n 0.5.1 contiene un parche para este problema."
    }
  ],
  "id": "CVE-2023-50251",
  "lastModified": "2024-11-21T08:36:45.100",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-12-12T21:15:08.453",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/dompdf/php-svg-lib/commit/88163cbe562d9b391b3a352e54d9c89d02d77ee0"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-ff5x-7qg5-vwf2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/dompdf/php-svg-lib/commit/88163cbe562d9b391b3a352e54d9c89d02d77ee0"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-ff5x-7qg5-vwf2"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-674"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GSD-2023-50251

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2023-50251

Aliases

CVE-2023-50251

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-50251",
    "id": "GSD-2023-50251"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-50251"
      ],
      "details": "php-svg-lib is an SVG file parsing / rendering library. Prior to version 0.5.1, when parsing the attributes passed to a `use` tag inside an svg document, an attacker can cause the system to go to an infinite recursion. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself. An attacker sending multiple request to a system to render the above payload can potentially cause resource exhaustion to the point that the system is unable to handle incoming request. Version 0.5.1 contains a patch for this issue.",
      "id": "GSD-2023-50251",
      "modified": "2023-12-13T01:20:31.213792Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-50251",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "php-svg-lib",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 0.5.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "dompdf"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "php-svg-lib is an SVG file parsing / rendering library. Prior to version 0.5.1, when parsing the attributes passed to a `use` tag inside an svg document, an attacker can cause the system to go to an infinite recursion. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself. An attacker sending multiple request to a system to render the above payload can potentially cause resource exhaustion to the point that the system is unable to handle incoming request. Version 0.5.1 contains a patch for this issue."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-674",
                "lang": "eng",
                "value": "CWE-674: Uncontrolled Recursion"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-ff5x-7qg5-vwf2",
            "refsource": "MISC",
            "url": "https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-ff5x-7qg5-vwf2"
          },
          {
            "name": "https://github.com/dompdf/php-svg-lib/commit/88163cbe562d9b391b3a352e54d9c89d02d77ee0",
            "refsource": "MISC",
            "url": "https://github.com/dompdf/php-svg-lib/commit/88163cbe562d9b391b3a352e54d9c89d02d77ee0"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-ff5x-7qg5-vwf2",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:dompdf:php-svg-lib:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "F1E345BA-6667-40EB-AF3F-E279441B6C90",
                    "versionEndExcluding": "0.5.1",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "php-svg-lib is an SVG file parsing / rendering library. Prior to version 0.5.1, when parsing the attributes passed to a `use` tag inside an svg document, an attacker can cause the system to go to an infinite recursion. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself. An attacker sending multiple request to a system to render the above payload can potentially cause resource exhaustion to the point that the system is unable to handle incoming request. Version 0.5.1 contains a patch for this issue."
          },
          {
            "lang": "es",
            "value": "php-svg-lib es una librer\u00eda de an\u00e1lisis/representaci\u00f3n de archivos SVG. Antes de la versi\u00f3n 0.5.1, al analizar los atributos pasados a una etiqueta \"use\" dentro de un documento svg, un atacante pod\u00eda hacer que el sistema entrara en una recursividad infinita. Dependiendo de la configuraci\u00f3n del sistema y del patr\u00f3n de ataque, esto podr\u00eda agotar la memoria disponible para el proceso en ejecuci\u00f3n y/o para el propio servidor. Un atacante que env\u00eda m\u00faltiples solicitudes a un sistema para representar el payload anterior puede potencialmente causar el agotamiento de los recursos hasta el punto de que el sistema no pueda manejar la solicitud entrante. La versi\u00f3n 0.5.1 contiene un parche para este problema."
          }
        ],
        "id": "CVE-2023-50251",
        "lastModified": "2023-12-15T17:51:25.283",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 3.6,
              "source": "nvd@nist.gov",
              "type": "Primary"
            },
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 1.4,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2023-12-12T21:15:08.453",
        "references": [
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Patch"
            ],
            "url": "https://github.com/dompdf/php-svg-lib/commit/88163cbe562d9b391b3a352e54d9c89d02d77ee0"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Exploit",
              "Vendor Advisory"
            ],
            "url": "https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-ff5x-7qg5-vwf2"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Analyzed",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-674"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-50251 (GCVE-0-2023-50251)

GHSA-FF5X-7QG5-VWF2

Summary

Details

PoC

Impact

FKIE_CVE-2023-50251

GSD-2023-50251

Tags

Sightings

Nomenclature