Kozea/CairoSVG (~300K downloads/week) has exponential denial of service via recursive <use> element amplification in cairosvg/defs.py (line ~335). This causes CPU exhaustion from a small input.
When CairoSVG processes an SVG file, it can make requests to the inner host and different outside hosts. When CairoSVG processes an SVG file, it can send requests to external hosts and wait for a response from the external server after a successful TCP handshake. This will cause the server to hang. It seems this bug can affect websites or servers and cause a complete freeze while uploading this PoC …
When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS). If an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time.