VDB
CVE-2021-21236
CVE-2021-21236
PUBLISHED
CairoSVG is a Python (pypi) package. CairoSVG is an SVG converter based on Cairo. In CairoSVG before version 2.5.1, there is a regular expression denial of service (REDoS) vulnerability. When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS). If an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time. This is fixed in version 2.5.1. See Referenced GitHub advisory for more information.
EPSS 0.14% · 33.6th percentile
Risk Scores
EPSS Score
0.14%
33.6th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:16.04:LTS | cairosvg | 1.0.19-1, 0, 1.0.17-1 |
| Ubuntu:24.04:LTS | cairosvg | 2.7.1-1, 0 |
| Ubuntu:25.10 | cairosvg | 2.7.1-1, 0, 2.7.1-2 |
| Ubuntu:18.04:LTS | cairosvg | 1.0.20-1, 0 |
| Ubuntu:22.04:LTS | cairosvg | 2.5.2-1, 0, 2.5.0-1.1 |
| Ubuntu:20.04:LTS | cairosvg | 2.4.0-2, 2.4.2-1, 0 |
Timeline
- Jan 6, 2021 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 22, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 25, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 27, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Jul 2, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2021-21236 third-party-advisory
- https://github.com/Kozea/CairoSVG/security/advisories/GHSA-hq37-853p-g5cf third-party-advisory
- https://github.com/Kozea/CairoSVG/commit/063185b60588a41d4df661ad70f9f7b699901abc third-party-advisory
- https://github.com/Kozea/CairoSVG/commit/cfc9175e590531d90384aa88845052de53d94bf3 third-party-advisory
- https://github.com/Kozea/CairoSVG/releases/tag/2.5.1 third-party-advisory
- https://pypi.org/project/CairoSVG/ third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2021-21236 third-party-advisory