CVE-2022-24429 – CVE-2022-24429 is an arbitrary code injection v... (How to Fix)

Q: What is the severity of CVE-2022-24429?

CVE-2022-24429 has a CVSS score of 7.5 (HIGH). CVE-2022-24429 is an arbitrary code injection vulnerability in convert-svg-core that allows attackers to read arbitrary files from the file system when processing specially crafted SVG files. The vulnerability affects applications that use convert-svg-core to convert SVG files to PNG format. Attackers can exfiltrate sensitive file contents through the converted PNG output.

📋 TL;DR

CVE-2022-24429 is an arbitrary code injection vulnerability in convert-svg-core that allows attackers to read arbitrary files from the file system when processing specially crafted SVG files. The vulnerability affects applications that use convert-svg-core to convert SVG files to PNG format. Attackers can exfiltrate sensitive file contents through the converted PNG output.

💻 Affected Systems

Products:

convert-svg-core

Versions: All versions before 0.6.3

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using convert-svg-core to process SVG files from untrusted sources is vulnerable.

📦 What is this software?

Convert Svg Core by Convert Svg Core Project

View all CVEs affecting Convert Svg Core →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through arbitrary file read leading to credential theft, configuration exposure, and potential privilege escalation to remote code execution.

🟠

Likely Case

Sensitive file disclosure including configuration files, environment variables, and source code from the server filesystem.

🟢

If Mitigated

Limited impact with proper input validation and file access restrictions in place.

🌐 Internet-Facing: HIGH - Any web application accepting SVG uploads and using convert-svg-core is directly exploitable.

🏢 Internal Only: MEDIUM - Internal applications processing SVG files remain vulnerable but have reduced attack surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only a malicious SVG file upload. Proof-of-concept examples are available in public GitHub issues.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.6.3 and later

Vendor Advisory: https://github.com/neocotic/convert-svg/commit/a43dffaab0f1e419d5be84e2e7356b86ffac3cf1

Restart Required: Yes

Instructions:

1. Update convert-svg-core to version 0.6.3 or later using npm update convert-svg-core. 2. Restart the application. 3. Verify the fix by checking the package version.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict validation of SVG file inputs before processing

File access restrictions

linux

Run the application with minimal file system permissions

chmod -R 750 /path/to/app
chown -R appuser:appgroup /path/to/app

🧯 If You Can't Patch

Disable SVG file processing functionality entirely
Implement a web application firewall (WAF) with rules to block malicious SVG payloads

🔍 How to Verify

Check if Vulnerable:

Check package.json for convert-svg-core version. If version is less than 0.6.3, the system is vulnerable.

Check Version:

npm list convert-svg-core

Verify Fix Applied:

Verify convert-svg-core version is 0.6.3 or higher and test with known malicious SVG files.

📡 Detection & Monitoring

Log Indicators:

Unusual file read operations from convert-svg-core process
Large PNG file generation from small SVG inputs
Error logs showing file access violations

Network Indicators:

Unusual outbound data transfers following SVG file uploads
PNG files containing non-image data patterns

SIEM Query:

process.name:"node" AND file.path:"*convert-svg*" AND file.operation:"read" AND NOT file.path:"*node_modules*"

📊 Metadata

CVE ID: CVE-2022-24429

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-94

Published: June 10, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/neocotic/convert-svg/commit/a43dffaab0f1e419d5be84e2e7356b86ffac3cf1 Patch,Third Party Advisory
https://github.com/neocotic/convert-svg/issues/84 Exploit,Issue Tracking,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-CONVERTSVGCORE-2859212 Exploit,Third Party Advisory
https://github.com/neocotic/convert-svg/commit/a43dffaab0f1e419d5be84e2e7356b86ffac3cf1 Patch,Third Party Advisory
https://github.com/neocotic/convert-svg/issues/84 Exploit,Issue Tracking,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-CONVERTSVGCORE-2859212 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24429, you might also want to check these: