Skip to content

Denial of service caused by infinite recursion when parsing SVG document

Moderate severity GitHub Reviewed Published Dec 12, 2023 in dompdf/php-svg-lib • Updated Dec 13, 2023

Package

composer phenx/php-svg-lib (Composer)

Affected versions

< 0.5.1

Patched versions

0.5.1

Description

Summary

When parsing the attributes passed to a use tag inside an svg document, we can cause the system to go to an infinite recursion. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself.

Details

Inside Svg\Tag\UseTag::before, php-svg-lib parses the attributes passed to an use tag inside an svg document. When it finds a href or xlink:href, it will try to retrieve the object representing this tag:

$link = $attributes["href"] ?? $attributes["xlink:href"];
$this->reference = $document->getDef($link);

if ($this->reference) {
    $this->reference->before($attributes);
}

$document->getDef is implemented as follow:

public function getDef($id) {
    $id = ltrim($id, "#");

    return isset($this->defs[$id]) ? $this->defs[$id] : null;
}

Note: the $id in the above method is actually the link being used in use tag. This part is important, because this behaviour here actually leads to the vulnerability. It will be mentioned later on in this report.

If it finds the referenced object, it will try to call the before method on the referenced object (this is still inside Svg\Tag\UseTag::before) :

if ($this->reference) {
    $this->reference->before($attributes);
}

In order to cause an infinte loop, we need to be able to control the $id used in the $this->defs[$id] code above. This defs property (Svg\Document::defs) is being populated when Svg\Document::_tagStart is called. This is the handler being used when the php-svg-lib is parsing the svg structure:

// Svg\Document line 343
if ($tag) {
    if (isset($attributes["id"])) {
        $this->defs[$attributes["id"]] = $tag;
    }
    else {
        // ...
    }

    // ...
}

So if the use tag contains an id, then that use tag will be added to the $defs array with it's id as the key.

Now as noted before, when there is a link inside the use tag, the library uses that link as the id to actually find the object or tag that has been added to the Svg\Document::defs.

So if the id attribute is equal to the link attribute inside the use tag, then the referenced object (in this case it is the Use tag object) will be called recursively until the memory given to the script is exhausted.

PoC

This is an example svg file that can be used to demonstrate the vulnerability.

<svg width="200" height="200"
  xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
  <use id="selfref" xlink:href="#selfref" />
</svg>

Impact

When the lib parses the above payload, it will crash:

PHP Fatal error:  Allowed memory size of 536870912 bytes exhausted (tried to allocate 262144 bytes) in /xxx/dompdf/vendor/phenx/php-svg-lib/src/Svg/Tag/UseTag.php on line 37

An attacker sending multiple request to a system to render the above payload can potentially cause resource exhaustion to the point that the system is unable to handle incoming request.

References

@bsweeney bsweeney published to dompdf/php-svg-lib Dec 12, 2023
Published by the National Vulnerability Database Dec 12, 2023
Published to the GitHub Advisory Database Dec 13, 2023
Reviewed Dec 13, 2023
Last updated Dec 13, 2023

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS score

0.072%
(33rd percentile)

Weaknesses

CVE ID

CVE-2023-50251

GHSA ID

GHSA-ff5x-7qg5-vwf2

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.