CVE-2024-33766 – CVE-2024-33766 is a floating point exception vu... (How to Fix)

Q: What is the severity of CVE-2024-33766?

CVE-2024-33766 has a CVSS score of 5.3 (MEDIUM). CVE-2024-33766 is a floating point exception vulnerability in lunasvg v2.3.9 that can cause denial of service through application crashes. This affects applications that process SVG files using the vulnerable lunasvg library. Users and systems that parse untrusted SVG files with this library version are at risk.

📋 TL;DR

CVE-2024-33766 is a floating point exception vulnerability in lunasvg v2.3.9 that can cause denial of service through application crashes. This affects applications that process SVG files using the vulnerable lunasvg library. Users and systems that parse untrusted SVG files with this library version are at risk.

💻 Affected Systems

Products:

lunasvg

Versions: v2.3.9 specifically

Operating Systems: All platforms where lunasvg runs (Linux, Windows, macOS)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using lunasvg library version 2.3.9 for SVG processing.

📦 What is this software?

Lunasvg by Sammycage

View all CVEs affecting Lunasvg →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application crash leading to denial of service, potentially disrupting services that rely on SVG processing.

🟠

Likely Case

Application instability or crashes when processing specially crafted SVG files, resulting in temporary service disruption.

🟢

If Mitigated

Minimal impact if proper input validation and sandboxing are implemented around SVG processing.

🌐 Internet-Facing: MEDIUM - Applications accepting SVG uploads from untrusted sources could be targeted to cause service disruption.

🏢 Internal Only: LOW - Internal applications processing trusted SVG files have lower exposure risk.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept available on GitHub demonstrates triggering the FPE with crafted SVG files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.3.10 or later

Vendor Advisory: https://github.com/sammycage/lunasvg/releases

Restart Required: Yes

Instructions:

1. Check current lunasvg version. 2. Update to v2.3.10 or later via package manager or manual compilation. 3. Restart affected applications using lunasvg.

🔧 Temporary Workarounds

Input validation for SVG files

all

Implement strict validation and sanitization of SVG files before processing with lunasvg.

Process isolation

all

Run SVG processing in isolated containers or sandboxed environments to contain crashes.

🧯 If You Can't Patch

Implement strict file upload restrictions to block SVG files from untrusted sources
Deploy monitoring and alerting for application crashes related to SVG processing

🔍 How to Verify

Check if Vulnerable:

Check if lunasvg version 2.3.9 is installed and being used by applications.

Check Version:

lunasvg --version or check package manager (apt list lunasvg, yum list lunasvg, etc.)

Verify Fix Applied:

Verify lunasvg version is 2.3.10 or later and test with known malicious SVG files.

📡 Detection & Monitoring

Log Indicators:

Application crashes with floating point exceptions
Segmentation faults in SVG processing components
Unexpected termination of services using lunasvg

Network Indicators:

Unusual SVG file uploads to web applications
Repeated requests with SVG payloads

SIEM Query:

source="application_logs" AND ("floating point exception" OR "FPE" OR "SIGFPE") AND "lunasvg"

📊 Metadata

CVE ID: CVE-2024-33766

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-369

Published: May 1, 2024

Last Updated: April 15, 2025

🔗 References

https://github.com/keepinggg/poc/tree/main/poc_of_lunasvg Exploit,Third Party Advisory
https://github.com/keepinggg/poc/tree/main/poc_of_lunasvg Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-33766, you might also want to check these: