CVE-2024-57722 – Lunasvg v3.0.0 contains an allocation-size-too-... (How to Fix)

Q: What is the severity of CVE-2024-57722?

CVE-2024-57722 has a CVSS score of 7.5 (HIGH). Lunasvg v3.0.0 contains an allocation-size-too-big vulnerability in the plutovg_surface_create component that can lead to denial of service or potentially arbitrary code execution. This affects applications that process SVG files using the vulnerable lunasvg library. Developers and systems using lunasvg for SVG rendering are at risk.

📋 TL;DR

Lunasvg v3.0.0 contains an allocation-size-too-big vulnerability in the plutovg_surface_create component that can lead to denial of service or potentially arbitrary code execution. This affects applications that process SVG files using the vulnerable lunasvg library. Developers and systems using lunasvg for SVG rendering are at risk.

💻 Affected Systems

Products:

lunasvg

Versions: Version 3.0.0 specifically mentioned; check other versions for similar issues.

Operating Systems: All platforms where lunasvg is used

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using lunasvg library to parse SVG files is vulnerable.

📦 What is this software?

Lunasvg by Sammycage

View all CVEs affecting Lunasvg →

Lunasvg by Sammycage

View all CVEs affecting Lunasvg →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if memory corruption can be weaponized.

🟠

Likely Case

Denial of service through application crash when processing malicious SVG files.

🟢

If Mitigated

Limited to denial of service if memory corruption cannot be controlled for code execution.

🌐 Internet-Facing: MEDIUM - Applications processing user-uploaded SVG files could be exploited remotely.

🏢 Internal Only: LOW - Only affects systems using lunasvg for SVG processing, typically not widespread.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Proof of concept available on GitHub demonstrates crash; weaponization for code execution would require additional research.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check GitHub issue #209 for latest patched version

Vendor Advisory: https://github.com/sammycage/lunasvg/issues/209

Restart Required: No

Instructions:

1. Check current lunasvg version. 2. Update to latest version from official repository. 3. Rebuild/redeploy applications using lunasvg.

🔧 Temporary Workarounds

Input validation

all

Implement strict validation of SVG file sizes before processing with lunasvg.

Library replacement

all

Temporarily replace lunasvg with alternative SVG rendering library.

🧯 If You Can't Patch

Implement WAF rules to block SVG files with suspicious characteristics
Isolate SVG processing to dedicated containers with resource limits

🔍 How to Verify

Check if Vulnerable:

Check if application uses lunasvg version 3.0.0 or other vulnerable versions.

Check Version:

Check build configuration or package manager for lunasvg version

Verify Fix Applied:

Test with known malicious SVG file from PoC repository to ensure no crash occurs.

📡 Detection & Monitoring

Log Indicators:

Application crashes when processing SVG files
Memory allocation errors in system logs

Network Indicators:

Unusually large SVG file uploads
Multiple failed SVG processing attempts

SIEM Query:

Application logs containing 'lunasvg' AND ('crash' OR 'segmentation fault' OR 'memory allocation')

📊 Metadata

CVE ID: CVE-2024-57722

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

EPSS Score: 0.31% exploit probability (53.4th percentile)

Published: January 23, 2025

Last Updated: April 15, 2025

🔗 References

https://github.com/keepinggg/poc/blob/main/poc_of_lunasvg_3.1.0 Exploit,Third Party Advisory
https://github.com/sammycage/lunasvg/issues/209 Exploit,Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-57722, you might also want to check these: