CVE-2021-23631 – This vulnerability in convert-svg-core, convert... (How to Fix)

Q: What is the severity of CVE-2021-23631?

CVE-2021-23631 has a CVSS score of 7.5 (HIGH). This vulnerability in convert-svg-core, convert-svg-to-png, and convert-svg-to-jpeg packages allows attackers to read arbitrary files from the server's file system by uploading specially crafted SVG files. The file contents are then exposed in the converted PNG/JPEG output. Any application using these vulnerable packages for SVG conversion is affected.

📋 TL;DR

This vulnerability in convert-svg-core, convert-svg-to-png, and convert-svg-to-jpeg packages allows attackers to read arbitrary files from the server's file system by uploading specially crafted SVG files. The file contents are then exposed in the converted PNG/JPEG output. Any application using these vulnerable packages for SVG conversion is affected.

💻 Affected Systems

Products:

convert-svg-core
convert-svg-to-png
convert-svg-to-jpeg

Versions: All versions

Operating Systems: All operating systems running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Any Node.js application using these packages for SVG conversion is vulnerable regardless of configuration.

📦 What is this software?

Convert Svg Core by Convert Svg Core Project

View all CVEs affecting Convert Svg Core →

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server file system disclosure including sensitive configuration files, credentials, and private data, potentially leading to full system compromise.

🟠

Likely Case

Unauthorized access to sensitive files containing application secrets, configuration data, or user information stored on the server.

🟢

If Mitigated

Limited file access restricted by application permissions and file system controls, with monitoring detecting suspicious file read attempts.

🌐 Internet-Facing: HIGH - Web applications accepting SVG uploads from untrusted users are directly exploitable without authentication.

🏢 Internal Only: MEDIUM - Internal applications could be exploited by authenticated users or through other attack vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept available in public gist. Exploitation requires only SVG file upload capability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: convert-svg-core 0.6.4, convert-svg-to-png 1.1.7, convert-svg-to-jpeg 1.1.7

Vendor Advisory: https://gist.github.com/legndery/a248350bb25b8502a03c2f407cedeb14

Restart Required: Yes

Instructions:

1. Update package.json to use patched versions. 2. Run 'npm update convert-svg-core convert-svg-to-png convert-svg-to-jpeg'. 3. Restart the application.

🔧 Temporary Workarounds

Disable SVG upload functionality

all

Temporarily disable SVG file uploads until patching is complete

Implement strict file validation

all

Validate SVG files for malicious content before processing

🧯 If You Can't Patch

Implement strict input validation and sanitization for SVG files
Run vulnerable packages in isolated containers with restricted file system access

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for vulnerable package versions. Run 'npm list convert-svg-core convert-svg-to-png convert-svg-to-jpeg'.

Check Version:

npm list convert-svg-core convert-svg-to-png convert-svg-to-jpeg

Verify Fix Applied:

Verify installed versions are >= convert-svg-core 0.6.4, convert-svg-to-png 1.1.7, convert-svg-to-jpeg 1.1.7 using 'npm list'.

📡 Detection & Monitoring

Log Indicators:

Unusual file read patterns from SVG conversion processes
Large or abnormal PNG/JPEG output sizes
Failed SVG conversion attempts with file paths

Network Indicators:

SVG file uploads followed by PNG/JPEG downloads containing text data
Unusual file content in converted images

SIEM Query:

source="application_logs" AND ("convert-svg" OR "svg conversion") AND ("error" OR "failed" OR "unexpected")

📊 Metadata

CVE ID: CVE-2021-23631

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

Published: January 21, 2022

Last Updated: November 21, 2024

🔗 References

https://gist.github.com/legndery/a248350bb25b8502a03c2f407cedeb14 Exploit,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-CONVERTSVGCORE-1582785 Exploit,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-CONVERTSVGTOJPEG-2348245 Exploit,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-CONVERTSVGTOPNG-2348244 Exploit,Third Party Advisory
https://gist.github.com/legndery/a248350bb25b8502a03c2f407cedeb14 Exploit,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-CONVERTSVGCORE-1582785 Exploit,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-CONVERTSVGTOJPEG-2348245 Exploit,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-CONVERTSVGTOPNG-2348244 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-23631, you might also want to check these: