CVE-2023-50251

MEDIUM

php-svg-lib <0.5.1 - Memory Corruption

Title source: llm

Description

php-svg-lib is an SVG file parsing / rendering library. Prior to version 0.5.1, when parsing the attributes passed to a `use` tag inside an svg document, an attacker can cause the system to go to an infinite recursion. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself. An attacker sending multiple request to a system to render the above payload can potentially cause resource exhaustion to the point that the system is unable to handle incoming request. Version 0.5.1 contains a patch for this issue.

References (2)

[Exploit, Vendor Advisory] https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-ff5x-7qg5-vwf2

[Patch] https://github.com/dompdf/php-svg-lib/commit/88163cbe562d9b391b3a352e54d9c89d02d77ee0

View Patch ZIP pw:eip

Scores

CVSS v3 5.3

EPSS 0.0027

EPSS Percentile 49.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-674

Status published

Products (2)

dompdf/php-svg-lib < 0.5.1

phenx/php-svg-lib 0 - 0.5.1Packagist

Published Dec 12, 2023

Tracked Since Feb 18, 2026