CVE-2024-57719 – Lunasvg v3.0.0 contains a NULL pointer derefere... (How to Fix)

Q: What is the severity of CVE-2024-57719?

CVE-2024-57719 has a CVSS score of 6.5 (MEDIUM). Lunasvg v3.0.0 contains a NULL pointer dereference vulnerability in the blend_transformed_tiled_argb.isra.0 component that can cause segmentation faults. This affects applications that process untrusted SVG files using the vulnerable library version. The vulnerability could lead to denial of service or potentially be leveraged for further exploitation.

📋 TL;DR

Lunasvg v3.0.0 contains a NULL pointer dereference vulnerability in the blend_transformed_tiled_argb.isra.0 component that can cause segmentation faults. This affects applications that process untrusted SVG files using the vulnerable library version. The vulnerability could lead to denial of service or potentially be leveraged for further exploitation.

💻 Affected Systems

Products:

lunasvg

Versions: v3.0.0 specifically mentioned, potentially other versions with same code

Operating Systems: All platforms where lunasvg runs (Linux, Windows, macOS)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications that use lunasvg library to parse SVG files. The vulnerability is triggered when processing specially crafted SVG content.

📦 What is this software?

Lunasvg by Sammycage

View all CVEs affecting Lunasvg →

Lunasvg by Sammycage

View all CVEs affecting Lunasvg →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution through memory corruption if combined with other vulnerabilities, or complete application crash leading to denial of service.

🟠

Likely Case

Application crash (segmentation fault) when processing malicious SVG files, resulting in denial of service.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, potentially just failed SVG processing.

🌐 Internet-Facing: MEDIUM - Applications accepting SVG uploads or processing untrusted SVG content from the internet are at risk.

🏢 Internal Only: LOW - Only affects systems processing SVG files, typically not a core business function.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept available on GitHub demonstrates crash. Exploitation requires feeding malicious SVG to vulnerable application.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check latest version > v3.0.0

Vendor Advisory: https://github.com/sammycage/lunasvg/issues/209

Restart Required: Yes

Instructions:

1. Check current lunasvg version. 2. Update to latest version from official repository. 3. Rebuild/redeploy applications using lunasvg. 4. Restart affected services.

🔧 Temporary Workarounds

Input validation

all

Implement strict validation of SVG files before processing with lunasvg

Sandbox SVG processing

all

Isolate SVG processing in container or separate process to limit crash impact

🧯 If You Can't Patch

Disable SVG processing functionality if not essential
Implement WAF rules to block suspicious SVG content patterns

🔍 How to Verify

Check if Vulnerable:

Check if application uses lunasvg v3.0.0 and processes SVG files

Check Version:

Check build configuration or dependency files for lunasvg version

Verify Fix Applied:

Test with known malicious SVG PoC after update - application should not crash

📡 Detection & Monitoring

Log Indicators:

Segmentation fault errors
Application crashes during SVG processing
Unexpected process termination

Network Indicators:

Unusual SVG file uploads
Repeated SVG processing requests

SIEM Query:

process.name: "your_app" AND event.type: "crash" AND error.message: "segmentation fault"

📊 Metadata

CVE ID: CVE-2024-57719

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE: CWE-476

EPSS Score: 0.06% exploit probability (17.4th percentile)

Published: January 23, 2025

Last Updated: April 15, 2025

🔗 References

https://github.com/keepinggg/poc/blob/main/poc_of_lunasvg_3.1.0 Exploit,Third Party Advisory
https://github.com/sammycage/lunasvg/issues/209 Exploit,Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-57719, you might also want to check these: