Login Sign Up

CVE-2022-25759

9.9 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2022-25759 is a critical remote code injection vulnerability in convert-svg-core package versions before 0.6.2. Attackers can execute arbitrary code on affected systems by uploading malicious SVG files containing payloads. This affects any application using vulnerable versions of convert-svg-core for SVG processing.

💻 Affected Systems

Products:
  • convert-svg-core
Versions: All versions before 0.6.2
Operating Systems: All platforms running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using convert-svg-core for SVG processing is vulnerable regardless of configuration.

📦 What is this software?

Convert Svg Core by Convert Svg Core Project

View all CVEs affecting Convert Svg Core →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands with application privileges, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Remote code execution leading to application compromise, data exfiltration, and potential privilege escalation on the host system.

🟢

If Mitigated

Limited impact if proper input validation and sandboxing are implemented, potentially resulting in denial of service at worst.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only SVG file upload capability. Public proof-of-concept exists in GitHub issues.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.6.2 and later

Vendor Advisory: https://github.com/neocotic/convert-svg/security/advisories

Restart Required: Yes

Instructions:

1. Update package.json to require convert-svg-core version 0.6.2 or higher. 2. Run 'npm update convert-svg-core'. 3. Restart the application.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict SVG validation before processing

Implement XML schema validation for SVG files
Use DOMPurify or similar library to sanitize SVG content

File Upload Restrictions

all

Block SVG file uploads entirely

Configure web server to reject .svg file uploads
Implement file type validation in application code

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate SVG processing services
  • Deploy web application firewall with SVG content inspection rules

🔍 How to Verify

Check if Vulnerable:

Check package.json for convert-svg-core version <0.6.2 or run 'npm list convert-svg-core'

Check Version:

npm list convert-svg-core | grep convert-svg-core

Verify Fix Applied:

Verify package.json shows convert-svg-core version >=0.6.2 and test SVG processing functionality

📡 Detection & Monitoring

Log Indicators:

  • Unusual process execution from Node.js application
  • Large or malformed SVG file uploads
  • Error logs showing SVG parsing failures

Network Indicators:

  • Unusual outbound connections from application server
  • SVG file uploads containing script tags or encoded payloads

SIEM Query:

source="application.logs" AND ("convert-svg" OR "svg processing") AND ("error" OR "exception")

📊 Metadata

CVE ID: CVE-2022-25759
CVSS v3 Score: 9.9 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-94
Published: July 22, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-25759, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)