Description
CairoSVG is a Python (pypi) package. CairoSVG is an SVG converter based on Cairo. In CairoSVG before version 2.5.1, there is a regular expression denial of service (REDoS) vulnerability. When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS). If an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time. This is fixed in version 2.5.1. See Referenced GitHub advisory for more information.
References (4)
Core 4
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/Kozea/CairoSVG/security/advisories/GHSA-hq37-853p-g5cf
Product, Third Party Advisory x_refsource_misc
https://pypi.org/project/CairoSVG/
Patch, Third Party Advisory x_refsource_misc
https://github.com/Kozea/CairoSVG/commit/cfc9175e590531d90384aa88845052de53d94bf3
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/Kozea/CairoSVG/releases/tag/2.5.1
Scores
CVSS v3
5.7
EPSS
0.0012
EPSS Percentile
31.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Details
CWE
CWE-400
Status
published
Products (2)
courtbouillon/cairosvg
< 2.5.1
pypi/CairoSVG
0 - 2.5.1PyPI
Published
Jan 06, 2021
Tracked Since
Feb 18, 2026