CVE-2023-50251: php-svg-lib possible DoS caused by infinite recursion when parsing SVG document

First published: Tue Dec 12 2023(Updated: )

### Summary When parsing the attributes passed to a `use` tag inside an svg document, we can cause the system to go to an infinite recursion. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself. ### Details Inside `Svg\Tag\UseTag::before`, php-svg-lib parses the attributes passed to an `use` tag inside an svg document. When it finds a `href` or `xlink:href`, it will try to retrieve the object representing this tag: ``` $link = $attributes["href"] ?? $attributes["xlink:href"]; $this->reference = $document->getDef($link); if ($this->reference) { $this->reference->before($attributes); } ``` `$document->getDef` is implemented as follow: ``` public function getDef($id) { $id = ltrim($id, "#"); return isset($this->defs[$id]) ? $this->defs[$id] : null; } ``` _Note:_ the `$id` in the above method is actually the _link_ being used in `use` tag. This part is important, because this behaviour here actually leads to the vulnerability. It will be mentioned later on in this report. If it finds the referenced object, it will try to call the `before` method on the referenced object (this is still inside `Svg\Tag\UseTag::before`) : ``` if ($this->reference) { $this->reference->before($attributes); } ``` In order to cause an infinte loop, we need to be able to control the `$id` used in the `$this->defs[$id]` code above. This `defs` property (`Svg\Document::defs`) is being populated when `Svg\Document::_tagStart` is called. This is the handler being used when the php-svg-lib is parsing the svg structure: ``` // Svg\Document line 343 if ($tag) { if (isset($attributes["id"])) { $this->defs[$attributes["id"]] = $tag; } else { // ... } // ... } ``` So if the `use` tag contains an `id`, then that `use` tag will be added to the `$defs` array with it's `id` as the key. Now as noted before, when there is a link inside the `use` tag, the library uses that link as the `id` to actually find the object or `tag` that has been added to the `Svg\Document::defs`. So if the `id` attribute is equal to the link attribute inside the `use` tag, then the referenced object (in this case it is the `Use` tag object) will be called recursively until the memory given to the script is exhausted. ### PoC This is an example svg file that can be used to demonstrate the vulnerability. ``` <svg width="200" height="200" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <use id="selfref" xlink:href="#selfref" /> </svg> ``` ### Impact When the lib parses the above payload, it will crash: ``` PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 262144 bytes) in /xxx/dompdf/vendor/phenx/php-svg-lib/src/Svg/Tag/UseTag.php on line 37 ``` An attacker sending multiple request to a system to render the above payload can potentially cause resource exhaustion to the point that the system is unable to handle incoming request.

Credit: security-advisories@github.com security-advisories@github.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/github-advisory-latest
• alias/GHSA-ff5x-7qg5-vwf2
• alias/CVE-2023-50251
• collector/nvd-api
• collector/nvd-cve
• collector/github-advisory
• agent/author
• agent/references
• agent/type
• agent/first-publish-date
• agent/softwarecombine
• collector/mitre-cve
• source/MITRE
• agent/weakness
• agent/remedy
• agent/severity
• agent/title
• agent/last-modified-date
• agent/event
• agent/description
• agent/trending
• agent/tags
• agent/source
• package-manager/composer
• vendor/dompdf
• canonical/dompdf php-svg-lib