Login Sign Up

CVE-2023-3398

7.5 HIGH
Denial of Service

📋 TL;DR

This CVE describes a Denial of Service vulnerability in the draw.io diagramming software. Attackers can cause the application to crash or become unresponsive by exploiting resource exhaustion. All users running draw.io versions prior to 18.1.3 are affected.

💻 Affected Systems

Products:
  • draw.io (diagrams.net)
Versions: All versions prior to 18.1.3
Operating Systems: All platforms (Windows, macOS, Linux, web)
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all deployment types: desktop applications, web applications, and integrations.

📦 What is this software?

Drawio by Diagrams

View all CVEs affecting Drawio →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption making draw.io unavailable for all users, potentially affecting business operations that rely on diagram creation and collaboration.

🟠

Likely Case

Application crashes or becomes unresponsive for individual users, requiring restart and causing data loss for unsaved work.

🟢

If Mitigated

Minimal impact with proper network segmentation and updated software, though isolated incidents may still occur.

🌐 Internet-Facing: MEDIUM - Web-based deployments could be targeted by external attackers, but exploitation requires specific conditions.
🏢 Internal Only: MEDIUM - Internal users could accidentally or intentionally trigger the vulnerability, affecting availability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires specific conditions to trigger resource exhaustion. No public exploit code available at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 18.1.3 and later

Vendor Advisory: https://github.com/jgraph/drawio/commit/064729fec4262f9373d9fdcafda0be47cd18dd50

Restart Required: Yes

Instructions:

1. Update draw.io to version 18.1.3 or later. 2. For desktop applications: Download latest version from draw.io website. 3. For web deployments: Update to latest container/image. 4. Restart the application/service.

🔧 Temporary Workarounds

Resource Limiting

all

Implement resource limits on draw.io processes to prevent complete exhaustion

# For container deployments: docker run --memory=512m --cpus=1 drawio

Network Segmentation

all

Restrict network access to draw.io instances to trusted users only

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for user-provided content
  • Monitor system resources and restart services when resource usage exceeds thresholds

🔍 How to Verify

Check if Vulnerable:

Check draw.io version in application settings or via 'Help > About' menu

Check Version:

# For desktop: Check 'Help > About' menu
# For web: Check browser console or application info

Verify Fix Applied:

Confirm version is 18.1.3 or higher and test with known triggering conditions

📡 Detection & Monitoring

Log Indicators:

  • Application crashes
  • High memory/CPU usage spikes
  • Out of memory errors

Network Indicators:

  • Unusual traffic patterns to draw.io endpoints
  • Multiple connection attempts

SIEM Query:

source="drawio" AND (event="crash" OR memory_usage>90% OR cpu_usage>95%)

📊 Metadata

CVE ID: CVE-2023-3398
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
Published: June 26, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-3398, you might also want to check these:

CVE-2024-45166 9.8

UCI IDOL2 through version 2.12 contains multiple memory corruption vulnerabilities due to improper i...

Same vulnerability type (CWE-400)
CVE-2025-61303 9.8

This vulnerability in Hatching Triage Sandbox allows malware samples to evade detection by recursive...

Same vulnerability type (CWE-400)
CVE-2024-39462 9.8

This is a Linux kernel memory corruption vulnerability in the BCM2711 DVP clock driver where array b...

Same vulnerability type (CWE-400)