Login Sign Up

CVE-2024-57723

6.5 MEDIUM
Denial of Service

📋 TL;DR

CVE-2024-57723 is a segmentation violation vulnerability in lunasvg's composition_source_over component that can cause denial of service or potentially arbitrary code execution when processing malicious SVG files. This affects applications using lunasvg v3.0.0 for SVG rendering. Developers and systems processing untrusted SVG content are at risk.

💻 Affected Systems

Products:
  • lunasvg
Versions: v3.0.0
Operating Systems: All platforms where lunasvg runs (Linux, Windows, macOS)
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using lunasvg v3.0.0 for SVG parsing/rendering is vulnerable when processing SVG files.

📦 What is this software?

Lunasvg by Sammycage

View all CVEs affecting Lunasvg →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if the segmentation violation can be weaponized into memory corruption exploits.

🟠

Likely Case

Application crash or denial of service when processing specially crafted SVG files, disrupting SVG rendering functionality.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, potentially causing only application instability.

🌐 Internet-Facing: MEDIUM - Applications accepting user-uploaded SVG files or processing external SVG content could be exploited remotely.
🏢 Internal Only: LOW - Primarily affects systems processing SVG files, which is less common in internal-only workflows.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Proof of concept demonstrates crash but not full weaponization. Exploitation requires feeding malicious SVG content to vulnerable applications.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v3.1.0 or later

Vendor Advisory: https://github.com/sammycage/lunasvg/issues/209

Restart Required: Yes

Instructions:

1. Update lunasvg to version 3.1.0 or later. 2. Rebuild any applications using lunasvg. 3. Restart affected services.

🔧 Temporary Workarounds

Input Validation

all

Implement strict validation of SVG files before processing with lunasvg

Sandbox SVG Processing

all

Isolate SVG processing in containerized or sandboxed environments

🧯 If You Can't Patch

  • Implement network-level filtering to block SVG file uploads to vulnerable systems
  • Deploy application-level monitoring for segmentation faults in SVG processing components

🔍 How to Verify

Check if Vulnerable:

Check if application uses lunasvg v3.0.0 via dependency manifest or by checking linked libraries

Check Version:

Check package manager or build configuration for lunasvg version

Verify Fix Applied:

Verify lunasvg version is 3.1.0 or later and test with known malicious SVG samples

📡 Detection & Monitoring

Log Indicators:

  • Segmentation fault errors in application logs
  • Unexpected process termination during SVG processing

Network Indicators:

  • Unusual SVG file uploads to web applications
  • SVG files with abnormal structure

SIEM Query:

Process:terminated AND (Error:segmentation_fault OR Error:sigsegv) AND Process:contains:lunasvg

📊 Metadata

CVE ID: CVE-2024-57723
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE: CWE-653
EPSS Score: 0.16% exploit probability (36.7th percentile)
Published: January 23, 2025
Last Updated: April 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-57723, you might also want to check these:

CVE-2025-1974 9.8

CVE-2025-1974 is a critical vulnerability in Kubernetes' ingress-nginx controller that allows unauth...

Same vulnerability type (CWE-653)
CVE-2024-33768 9.8

CVE-2024-33768 is a critical vulnerability in lunasvg v2.3.9 that allows attackers to trigger a segm...

Same vulnerability type (CWE-653)
CVE-2025-4083 9.1

A process isolation vulnerability in Thunderbird and Firefox allows javascript: URIs to execute in t...

Same vulnerability type (CWE-653)