CVE-2019-17566
Description
Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Batik SSRF vulnerability allows attackers to make arbitrary GET requests via crafted xlink:href attributes.
What the vulnerability is
CVE-2019-17566 is a server-side request forgery (SSRF) vulnerability in Apache Batik, a scalable vector graphics (SVG) toolkit. The root cause is improper input validation of the xlink:href attributes within SVG files, allowing an attacker to craft malicious SVG content that triggers arbitrary GET requests from the server processing the SVG [1][2].
How it is exploited
The attack surface includes any application that uses Apache Batik to parse or render SVG files, especially those that accept user-supplied SVG content. An attacker can supply a specially crafted SVG file containing a malicious xlink:href value (e.g., pointing to internal network resources). The vulnerability requires no authentication beyond the ability to have the server process the SVG; the requests are made from the server's perspective, bypassing network restrictions [1][3].
Impact
Successful exploitation allows an attacker to make the underlying server issue arbitrary GET requests to any reachable host. This can be used to probe internal networks, access sensitive files or services, and potentially pivot to further attacks. The severity is considered medium, but the risk increases in environments where Batik processes untrusted SVG content [1][4].
Mitigation
Apache Batik version 1.13 and later include a fix for this vulnerability. Additionally, the Jira issue BATIK-1276 introduced a mechanism to block external resources by adding a command-line option -blockExternalResources or setting KEY_ALLOW_EXTERNAL_RESOURCES to false [2][3]. Users should upgrade to Batik 1.13 or later and consider restricting external resource access for untrusted SVG processing [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.xmlgraphics:batikMaven | < 1.13 | 1.13 |
Affected products
6- Apache/Batikdescription
- ghsa-coords5 versionspkg:maven/org.apache.xmlgraphics/batikpkg:rpm/opensuse/xmlgraphics-batik&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/xmlgraphics-batik&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/xmlgraphics-batik&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/xmlgraphics-batik&distro=SUSE%20Package%20Hub%2015%20SP1
< 1.13+ 4 more
- (no CPE)range: < 1.13
- (no CPE)range: < 1.9-lp151.6.3.1
- (no CPE)range: < 1.8-3.3.1
- (no CPE)range: < 1.8-3.3.1
- (no CPE)range: < 1.9-bp151.2.3.1
Patches
2bc6078ca9490BATIK-1276: Allow blocking of external resources
3 files changed · +42 −0
batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java+17 −0 modified@@ -501,6 +501,12 @@ public Color parseARGB(String argbVal){ public static String CL_OPTION_CONSTRAIN_SCRIPT_ORIGIN_DESCRIPTION = Messages.get("Main.cl.option.constrain.script.origin.description", "No description"); + public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES + = Messages.get("Main.cl.option.block.external.resources", "-blockExternalResources"); + + public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION + = Messages.get("Main.cl.option.block.external.resources.description", "No description"); + /** * Option to turn off secure execution of scripts */ @@ -829,6 +835,17 @@ public String getOptionDescription(){ return CL_OPTION_SECURITY_OFF_DESCRIPTION; } }); + + optionMap.put(CL_OPTION_BLOCK_EXTERNAL_RESOURCES, + new NoValueOptionHandler(){ + public void handleOption(SVGConverter c){ + c.allowExternalResources = false; + } + + public String getOptionDescription(){ + return CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION; + } + }); } /**
batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java+6 −0 modified@@ -253,6 +253,8 @@ public class SVGConverter { the document which references them. */ protected boolean constrainScriptOrigin = true; + protected boolean allowExternalResources = true; + /** Controls whether scripts should be run securely or not */ protected boolean securityOff = false; @@ -925,6 +927,10 @@ protected Map computeTranscodingHints(){ map.put(ImageTranscoder.KEY_CONSTRAIN_SCRIPT_ORIGIN, Boolean.FALSE); } + if (!allowExternalResources) { + map.put(ImageTranscoder.KEY_ALLOW_EXTERNAL_RESOURCES, Boolean.FALSE); + } + return map; }
batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java+19 −0 modified@@ -33,8 +33,10 @@ Licensed to the Apache Software Foundation (ASF) under one or more import org.apache.batik.bridge.BridgeContext; import org.apache.batik.bridge.BridgeException; import org.apache.batik.bridge.DefaultScriptSecurity; +import org.apache.batik.bridge.ExternalResourceSecurity; import org.apache.batik.bridge.GVTBuilder; import org.apache.batik.bridge.NoLoadScriptSecurity; +import org.apache.batik.bridge.NoLoadExternalResourceSecurity; import org.apache.batik.bridge.RelaxedScriptSecurity; import org.apache.batik.bridge.SVGUtilities; import org.apache.batik.bridge.ScriptSecurity; @@ -877,6 +879,9 @@ protected void setImageSize(float docWidth, float docHeight) { = new BooleanKey(); + public static final TranscodingHints.Key KEY_ALLOW_EXTERNAL_RESOURCES + = new BooleanKey(); + /** * A user agent implementation for <code>PrintTranscoder</code>. */ @@ -1109,5 +1114,19 @@ protected void computeAllowedScripts(){ } } + public ExternalResourceSecurity getExternalResourceSecurity(ParsedURL resourceURL, ParsedURL docURL) { + if (isAllowExternalResources()) { + return super.getExternalResourceSecurity(resourceURL, docURL); + } + return new NoLoadExternalResourceSecurity(); + } + + public boolean isAllowExternalResources() { + Boolean b = (Boolean)SVGAbstractTranscoder.this.hints.get(KEY_ALLOW_EXTERNAL_RESOURCES); + if (b != null) { + return b; + } + return true; + } } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
16- github.com/advisories/GHSA-cmx4-p4v5-hmr5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-17566ghsaADVISORY
- security.gentoo.org/glsa/202401-11ghsavendor-advisoryWEB
- github.com/apache/xmlgraphics-batik/commit/bc6078ca949039e2076cd08b4cb169c84c1179b1ghsaWEB
- issues.apache.org/jira/browse/BATIK-1276ghsaWEB
- lists.apache.org/thread.html/rab94fe68b180d2e2fba97abf6fe1ec83cff826be25f86cd90f047171%40%3Ccommits.myfaces.apache.org%3Eghsamailing-listWEB
- lists.apache.org/thread.html/rab94fe68b180d2e2fba97abf6fe1ec83cff826be25f86cd90f047171@%3Ccommits.myfaces.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rcab14a9ec91aa4c151e0729966282920423eff50a22759fd21db6509%40%3Ccommits.myfaces.apache.org%3Eghsamailing-listWEB
- lists.apache.org/thread.html/rcab14a9ec91aa4c151e0729966282920423eff50a22759fd21db6509@%3Ccommits.myfaces.apache.org%3EghsaWEB
- www.oracle.com//security-alerts/cpujul2021.htmlghsaWEB
- www.oracle.com/security-alerts/cpuApr2021.htmlghsaWEB
- www.oracle.com/security-alerts/cpujan2021.htmlghsaWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsaWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsaWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsaWEB
- xmlgraphics.apache.org/security.htmlghsaWEB
News mentions
0No linked articles in our index yet.