Login Sign Up

CVE-2023-44709

9.8 CRITICAL

📋 TL;DR

CVE-2023-44709 is an integer overflow vulnerability in PlutoSVG's plutosvg_load_from_memory function that allows attackers to cause memory corruption. This can lead to arbitrary code execution or denial of service when processing malicious SVG files. Anyone using PlutoSVG library versions before the fix is affected.

💻 Affected Systems

Products:
  • PlutoSVG
Versions: All versions before commit 336c02997277a1888e6ccbbbe674551a0582e5c4
Operating Systems: All platforms where PlutoSVG is used
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using PlutoSVG library to parse SVG files is vulnerable regardless of configuration.

📦 What is this software?

Plutosvg by Sammycage

View all CVEs affecting Plutosvg →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the application processing SVG files, potentially leading to complete system compromise.

🟠

Likely Case

Application crash (denial of service) when processing specially crafted SVG files.

🟢

If Mitigated

Limited impact if input validation and memory protections are in place, potentially just application instability.

🌐 Internet-Facing: HIGH - SVG files are commonly processed from untrusted sources on web applications.
🏢 Internal Only: MEDIUM - Internal applications processing SVG files could be exploited by malicious insiders or through supply chain attacks.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof of concept available in GitHub gist, exploitation requires only a malicious SVG file to be processed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 336c02997277a1888e6ccbbbe674551a0582e5c4 and later

Vendor Advisory: https://github.com/sammycage/plutosvg/issues/7

Restart Required: Yes

Instructions:

1. Update PlutoSVG to latest version from GitHub repository. 2. Recompile any applications using PlutoSVG. 3. Restart affected services.

🔧 Temporary Workarounds

Disable SVG processing

all

Temporarily disable SVG file processing in applications using PlutoSVG

Input validation

all

Implement strict validation of SVG files before passing to PlutoSVG

🧯 If You Can't Patch

  • Implement strict file type validation to reject SVG files from untrusted sources
  • Run applications with minimal privileges and in sandboxed environments

🔍 How to Verify

Check if Vulnerable:

Check if application uses PlutoSVG library version before commit 336c02997277a1888e6ccbbbe674551a0582e5c4

Check Version:

Check build configuration or source code for PlutoSVG version/commit hash

Verify Fix Applied:

Verify PlutoSVG version is updated to commit 336c02997277a1888e6ccbbbe674551a0582e5c4 or later

📡 Detection & Monitoring

Log Indicators:

  • Application crashes when processing SVG files
  • Memory access violation errors in logs

Network Indicators:

  • Unusual SVG file uploads to web applications
  • SVG files with abnormal sizes or structures

SIEM Query:

source="application.log" AND ("segmentation fault" OR "access violation" OR "memory corruption") AND "svg"

📊 Metadata

CVE ID: CVE-2023-44709
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-190
Published: December 14, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-44709, you might also want to check these:

CVE-2025-64721 10.0

This vulnerability in Sandboxie allows sandboxed processes to exploit an integer overflow in the Sbi...

Same vulnerability type (CWE-190)
CVE-2025-52581 9.8

An integer overflow vulnerability in libbiosig's GDF file parsing allows arbitrary code execution wh...

Same vulnerability type (CWE-190)
CVE-2025-53518 9.8

An integer overflow vulnerability in libbiosig's ABF file parser allows arbitrary code execution whe...

Same vulnerability type (CWE-190)