CVE-2021-21236: Regular Expression Denial of Service in CairoSVG
(updated )
When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS). If an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time.
References
- github.com/Kozea/CairoSVG
- github.com/Kozea/CairoSVG/commit/cfc9175e590531d90384aa88845052de53d94bf3
- github.com/Kozea/CairoSVG/releases/tag/2.5.1
- github.com/Kozea/CairoSVG/security/advisories/GHSA-hq37-853p-g5cf
- github.com/advisories/GHSA-hq37-853p-g5cf
- github.com/pypa/advisory-database/tree/main/vulns/cairosvg/PYSEC-2021-5.yaml
- nvd.nist.gov/vuln/detail/CVE-2021-21236
- pypi.org/project/CairoSVG
Detect and mitigate CVE-2021-21236 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →