CVE-2021-21236

Name
CVE-2021-21236
Description
CairoSVG is a Python (pypi) package. CairoSVG is an SVG converter based on Cairo. In CairoSVG before version 2.5.1, there is a regular expression denial of service (REDoS) vulnerability. When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS). If an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time. This is fixed in version 2.5.1. See Referenced GitHub advisory for more information.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Patch https://github.com/Kozea/CairoSVG/commit/cfc9175e590531d90384aa88845052de53d94bf3
Exploit https://github.com/Kozea/CairoSVG/security/advisories/GHSA-hq37-853p-g5cf
Product https://pypi.org/project/CairoSVG/
Release Notes https://github.com/Kozea/CairoSVG/releases/tag/2.5.1

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:courtbouillon:cairosvg:*:*:*:*:*:*:*:* cairosvg >= None < 2.5.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status