CVE-2023-27586

Advisory

CairosSVG 2.7.0 include a fix for CVE-2023-27586: Prior to version 2.7.0, Cairo can send requests to external hosts when processing SVG files. A malicious actor could send a specially crafted SVG file that allows them to perform a server-side request forgery or denial of service. Version 2.7.0 disables CairoSVG's ability to access other files online by default.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

====================================

**WARNING:** this is a security update.

When processing SVG files, CairoSVG could access other files online, possibly
leading to very long renderings or other security problems.

This feature is now disabled by default. External resources can still be
accessed using the "unsafe" or the "url_fetcher" parameter.

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27586
• https://github.com/Kozea/CairoSVG/releases/tag/2.7.0
• https://github.com/Kozea/CairoSVG/security/advisories/GHSA-rwmf-w63j-p7gv
• https://github.com/Kozea/CairoSVG/commit/12d31c653c0254fa9d9853f66b04ea46e7397255
• https://github.com/Kozea/CairoSVG/commit/33007d4af9195e2bfb2ff9af064c4c2d8e4b2b53