Regular Expression Denial of Service in CairoSVG
Description
CairoSVG is a Python (pypi) package. CairoSVG is an SVG converter based on Cairo. In CairoSVG before version 2.5.1, there is a regular expression denial of service (REDoS) vulnerability. When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS). If an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time. This is fixed in version 2.5.1. See Referenced GitHub advisory for more information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
CairoSVGPyPI | < 2.5.1 | 2.5.1 |
Affected products
6- ghsa-coords5 versionspkg:pypi/cairosvgpkg:rpm/opensuse/python-CairoSVG&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/python-CairoSVG&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/python-CairoSVG&distro=SUSE%20Package%20Hub%2015%20SP4pkg:rpm/suse/python-CairoSVG&distro=SUSE%20Package%20Hub%2015%20SP5
< 2.5.1+ 4 more
- (no CPE)range: < 2.5.1
- (no CPE)range: < 2.5.2-bp154.2.3.1
- (no CPE)range: < 2.5.2-bp155.3.3.1
- (no CPE)range: < 2.5.2-bp154.2.3.1
- (no CPE)range: < 2.5.2-bp155.3.3.1
Patches
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-hq37-853p-g5cfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21236ghsaADVISORY
- github.com/Kozea/CairoSVG/commit/cfc9175e590531d90384aa88845052de53d94bf3ghsax_refsource_MISCWEB
- github.com/Kozea/CairoSVG/releases/tag/2.5.1ghsax_refsource_MISCWEB
- github.com/Kozea/CairoSVG/security/advisories/GHSA-hq37-853p-g5cfghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/cairosvg/PYSEC-2021-5.yamlghsaWEB
- pypi.org/project/CairoSVGghsaWEB
- pypi.org/project/CairoSVG/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.