CVE-2021-29059
📋 TL;DR
This vulnerability allows attackers to cause a Denial of Service (DoS) by providing a specially crafted invalid SVG string to the is-svg library. The library's regular expression processing becomes inefficient with this input, consuming excessive CPU resources and potentially crashing the application. This affects any application using is-svg version 2.1.0 through 4.2.2 to validate SVG content.
💻 Affected Systems
- is-svg npm package
📦 What is this software?
Is Svg by Is Svg Project
⚠️ Risk & Real-World Impact
Worst Case
Application becomes completely unresponsive, requiring restart and causing service disruption. In containerized environments, this could trigger resource exhaustion and affect other services on the same host.
Likely Case
Degraded application performance, increased response times, and potential service interruptions for users. The application may need to be restarted to recover.
If Mitigated
Minimal impact with proper input validation and resource limits in place. The application might experience temporary slowdown but recovers quickly.
🎯 Exploit Status
Proof of concept code is publicly available. The attack requires only the ability to provide SVG input to the vulnerable application.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.3.0 and later
Vendor Advisory: https://github.com/sindresorhus/is-svg/releases/tag/v4.3.0
Restart Required: Yes
Instructions:
1. Update package.json to require is-svg version 4.3.0 or later. 2. Run 'npm update is-svg' or 'yarn upgrade is-svg'. 3. Restart your application to load the updated library.
🔧 Temporary Workarounds
Input validation and sanitization
allImplement strict input validation to reject malformed SVG strings before they reach the is-svg library.
Resource limiting
linuxConfigure process/container resource limits to prevent complete system exhaustion if exploitation occurs.
docker run --memory=512m --cpus=1 your-app
ulimit -t 30
🧯 If You Can't Patch
- Implement rate limiting on endpoints that accept SVG input
- Deploy Web Application Firewall (WAF) rules to detect and block malicious SVG patterns
🔍 How to Verify
Check if Vulnerable:
Check package.json or package-lock.json for is-svg version. If version is between 2.1.0 and 4.2.2 inclusive, the system is vulnerable.Check Version:
npm list is-svg | grep is-svgVerify Fix Applied:
After updating, verify that is-svg version is 4.3.0 or higher in package.json and that the application starts without errors.📡 Detection & Monitoring
Log Indicators:
- High CPU usage spikes
- Process crashes or restarts
- Slow response times from SVG processing endpoints
Network Indicators:
- Unusually large SVG payloads
- Repeated requests to SVG validation endpoints
SIEM Query:
source="application.logs" AND ("high cpu" OR "process restart" OR "slow response") AND "svg"🔗 References
- https://github.com/sindresorhus/is-svg/releases/tag/v4.3.0
- https://github.com/yetingli/PoCs/blob/main/CVE-2021-29059/IS-SVG.md
- https://github.com/yetingli/SaveResults/blob/main/js/is-svg.js
- https://www.npmjs.com/package/is-svg
- https://github.com/sindresorhus/is-svg/releases/tag/v4.3.0
- https://github.com/yetingli/PoCs/blob/main/CVE-2021-29059/IS-SVG.md
- https://github.com/yetingli/SaveResults/blob/main/js/is-svg.js
- https://www.npmjs.com/package/is-svg
