Remote Code Injection Affecting convert-svg-core package, versions <0.6.2
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
8.97% (95th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-CONVERTSVGCORE-2849633
- published 19 Jul 2022
- disclosed 1 Jun 2022
- credit Manh Nguyen Van
Introduced: 1 Jun 2022
CVE-2022-25759 Open this link in a new tabHow to fix?
Upgrade convert-svg-core to version 0.6.2 or higher.
Overview
convert-svg-core is a package that supports converting SVG into another format using headless Chromium.
Affected versions of this package are vulnerable to Remote Code Injection via sending an SVG file containing the payload.
PoC:
const { convert } = require('convert-svg-to-png');
const express = require('express');
const fileSvg = ``;
// YWxlcnQoMSk=
// function newContent(){document.open(),document.write('data'),document.close()}
const app = express();
app.get('/poc', async (req, res)=>{
try {
const png = await convert(fileSvg);
res.set('Content-Type', 'image/png');
res.send(png);
} catch (e) {
console.log(e);
res.send("");
}
});
app.listen(3000, ()=>{
console.log('started');
});
References
CVSS Scores
version 3.1