CVE-2023-50251

Published: Dec 12, 2023

Modified: May 22, 2025

PUBLISHED

CVSS v3.1

5.3

MEDIUM

Description

php-svg-lib is an SVG file parsing / rendering library. Prior to version 0.5.1, when parsing the attributes passed to a `use` tag inside an svg document, an attacker can cause the system to go to an infinite recursion. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself. An attacker sending multiple request to a system to render the above payload can potentially cause resource exhaustion to the point that the system is unable to handle incoming request. Version 0.5.1 contains a patch for this issue.

Vendor	Product	Versions
dompdf	php-svg-lib	affected `< 0.5.1`

Weaknesses (CWE)

CWE-674

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

References

https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-ff5x-7qg5-vwf2

x_refsource_CONFIRM

https://github.com/dompdf/php-svg-lib/commit/88163cbe562d9b391b3a352e54d9c89d02d77ee0

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-50251

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References