CVE-2017-1000498

Vulnerability

AndroidSVG version 1.2.2 is vulnerable to XML External Entity (XXE) attacks during SVG parsing [1][2]. The library fails to disable processing of external entities and DTDs, which are not required for SVG files [3]. The vulnerability is triggered in the SVG.parse(InputStream is) method, which passes the input to xr.parse(new InputSource(is)) without setting security features on the SAXParserFactory [3]. Affected versions include 1.2.2, and earlier versions may also be affected [2].

Exploitation

An attacker needs to supply a crafted SVG file to an application that uses AndroidSVG for parsing [3]. No authentication or special privileges are required beyond the ability to provide the SVG input. A known example is the billion laughs attack, which defines nested entities that expand exponentially to consume memory [3]. The attack can be carried out by including a malicious DTD or entity definitions within the SVG XML, which the parser will process by default [3].

Impact

Successful exploitation can lead to denial of service through resource exhaustion (memory consumption) [1][3]. In some scenarios, if the XXE allows file inclusion or command execution via external entities, remote code execution may be possible, though the reference describes this as only a potential risk [1][3]. The impact is limited to the server or device where the SVG is parsed, and the privilege level achieved could be that of the application process [2].

Mitigation

A fix has been available since the GitHub advisory was published on October 19, 2018 [2][3]. The remediation requires explicitly disabling external entity processing and DTD loading on the SAXParserFactory used by AndroidSVG [3]. The following code should be added prior to parsing: spf.setFeature("http://xml.org/sax/features/external-general-entities", false), spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false), and spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false) [3]. No workaround is available if the library is not patched; users should update to a version that incorporates these changes or apply the mitigation themselves [3].