What is CVE-2023-27586?

CVE-2023-27586 is a critical-severity vulnerability in Kozea Cairosvg, classified under Improper Input Validation. CVSS score: 9.9/10. Published 2023-03-20.

How severe is CVE-2023-27586?

Critical severity. CVSS v3 base score is 9.9 out of 10.

Is CVE-2023-27586 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

SSRF in Kozea Cairosvg

CVE-2023-27586

CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to version 2.7.0, Cairo can send requests to external hosts when processing SVG files. A malicious actor could send a specially crafted SVG file that allows them to…

Vulnerability class: Drupalgeddon 2 (CVE-2018-7600)

EPSS: 0.001 (24.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.9 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L.

Affected products

Kozea Cairosvg — versions < 2.7.0

Weakness classification (CWE)

Public proof-of-concept exploits

karimhabush/cyberowl

References

https://github.com/Kozea/CairoSVG/security/advisories/GHSA-rwmf-w63j-p7gv (x_refsource_CONFIRM)
https://github.com/Kozea/CairoSVG/commit/12d31c653c0254fa9d9853f66b04ea46e7397255 (x_refsource_MISC)
https://github.com/Kozea/CairoSVG/commit/33007d4af9195e2bfb2ff9af064c4c2d8e4b2b53 (x_refsource_MISC)
https://github.com/Kozea/CairoSVG/releases/tag/2.7.0 (x_refsource_MISC)

Frequently asked questions

What is CVE-2023-27586?: CVE-2023-27586 is a critical-severity vulnerability in Kozea Cairosvg, classified under Improper Input Validation. CVSS score: 9.9/10. Published 2023-03-20.
How severe is CVE-2023-27586?: Critical severity. CVSS v3 base score is 9.9 out of 10.
Is CVE-2023-27586 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.