Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mZjV4LTdxZzUtdndmMs4AA3uh
Denial of service caused by infinite recursion when parsing SVG document
Summary
When parsing the attributes passed to a use
tag inside an svg document, we can cause the system to go to an infinite recursion. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself.
Details
Inside Svg\Tag\UseTag::before
, php-svg-lib parses the attributes passed to an use
tag inside an svg document. When it finds a href
or xlink:href
, it will try to retrieve the object representing this tag:
$link = $attributes["href"] ?? $attributes["xlink:href"];
$this->reference = $document->getDef($link);
if ($this->reference) {
$this->reference->before($attributes);
}
$document->getDef
is implemented as follow:
public function getDef($id) {
$id = ltrim($id, "#");
return isset($this->defs[$id]) ? $this->defs[$id] : null;
}
Note: the $id
in the above method is actually the link being used in use
tag. This part is important, because this behaviour here actually leads to the vulnerability. It will be mentioned later on in this report.
If it finds the referenced object, it will try to call the before
method on the referenced object (this is still inside Svg\Tag\UseTag::before
) :
if ($this->reference) {
$this->reference->before($attributes);
}
In order to cause an infinte loop, we need to be able to control the $id
used in the $this->defs[$id]
code above. This defs
property (Svg\Document::defs
) is being populated when Svg\Document::_tagStart
is called. This is the handler being used when the php-svg-lib is parsing the svg structure:
// Svg\Document line 343
if ($tag) {
if (isset($attributes["id"])) {
$this->defs[$attributes["id"]] = $tag;
}
else {
// ...
}
// ...
}
So if the use
tag contains an id
, then that use
tag will be added to the $defs
array with it's id
as the key.
Now as noted before, when there is a link inside the use
tag, the library uses that link as the id
to actually find the object or tag
that has been added to the Svg\Document::defs
.
So if the id
attribute is equal to the link attribute inside the use
tag, then the referenced object (in this case it is the Use
tag object) will be called recursively until the memory given to the script is exhausted.
PoC
This is an example svg file that can be used to demonstrate the vulnerability.
<svg width="200" height="200"
xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<use id="selfref" xlink:href="#selfref" />
</svg>
Impact
When the lib parses the above payload, it will crash:
PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 262144 bytes) in /xxx/dompdf/vendor/phenx/php-svg-lib/src/Svg/Tag/UseTag.php on line 37
An attacker sending multiple request to a system to render the above payload can potentially cause resource exhaustion to the point that the system is unable to handle incoming request.
Permalink: https://github.com/advisories/GHSA-ff5x-7qg5-vwf2JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mZjV4LTdxZzUtdndmMs4AA3uh
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 5 months ago
Updated: 5 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Identifiers: GHSA-ff5x-7qg5-vwf2, CVE-2023-50251
References:
- https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-ff5x-7qg5-vwf2
- https://nvd.nist.gov/vuln/detail/CVE-2023-50251
- https://github.com/dompdf/php-svg-lib/commit/88163cbe562d9b391b3a352e54d9c89d02d77ee0
- https://github.com/advisories/GHSA-ff5x-7qg5-vwf2
Blast Radius: 22.9
Affected Packages
packagist:phenx/php-svg-lib
Dependent packages: 39Dependent repositories: 20,777
Downloads: 93,592,571 total
Affected Version Ranges: < 0.5.1
Fixed in: 0.5.1
All affected versions: 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.4.0, 0.4.1, 0.5.0
All unaffected versions: 0.5.1, 0.5.2, 0.5.3, 0.5.4, 1.0.0