Login Sign Up

CVE-2022-1575

9.6 CRITICAL
Remote Code Execution Cross-Site Scripting

📋 TL;DR

CVE-2022-1575 is a critical vulnerability in draw.io diagramming software that allows attackers to bypass input sanitization and execute arbitrary code. In the desktop application, this leads to remote code execution, while in the web application it enables stored cross-site scripting attacks. All users of draw.io versions prior to 18.0.0 are affected.

💻 Affected Systems

Products:
  • drawio (diagrams.net)
Versions: All versions prior to 18.0.0
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Both desktop and web applications are affected. The desktop app allows RCE, while the web app allows stored XSS.

📦 What is this software?

Drawio by Diagrams

View all CVEs affecting Drawio →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through remote code execution, allowing attackers to install malware, steal data, or pivot to other systems.

🟠

Likely Case

Attackers execute malicious code on user systems through crafted diagrams, potentially leading to data theft, ransomware deployment, or credential harvesting.

🟢

If Mitigated

With proper network segmentation and endpoint protection, impact is limited to the compromised application instance.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires users to open malicious diagram files. The vulnerability is well-documented in public repositories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 18.0.0 and later

Vendor Advisory: https://github.com/jgraph/drawio/commit/f768ed73875d5eca20110b9c1d72f2789cd1bab7

Restart Required: Yes

Instructions:

1. Download drawio version 18.0.0 or later from official sources. 2. Uninstall previous versions. 3. Install the updated version. 4. Restart the application.

🔧 Temporary Workarounds

Disable automatic diagram loading

all

Prevent automatic loading of external diagram files

Network segmentation

all

Isolate draw.io instances from critical systems

🧯 If You Can't Patch

  • Implement strict file upload validation and scanning for diagram files
  • Use application allowlisting to prevent unauthorized code execution

🔍 How to Verify

Check if Vulnerable:

Check drawio version in application settings or via 'drawio --version' command

Check Version:

drawio --version

Verify Fix Applied:

Verify version is 18.0.0 or higher and test with known malicious diagram files

📡 Detection & Monitoring

Log Indicators:

  • Unusual file parsing errors
  • Suspicious diagram file imports
  • Unexpected process spawns from drawio

Network Indicators:

  • Unexpected outbound connections from drawio process
  • Downloads from untrusted diagram sources

SIEM Query:

process_name:"drawio" AND (event_type:"process_creation" OR event_type:"network_connection")

📊 Metadata

CVE ID: CVE-2022-1575
CVSS v3 Score: 9.6 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-94
Published: May 5, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-1575, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)