Directory Traversal
Description
This affects all versions of package convert-svg-core; all versions of package convert-svg-to-png; all versions of package convert-svg-to-jpeg. Using a specially crafted SVG file, an attacker could read arbitrary files from the file system and then show the file content as a converted PNG file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
All versions of convert-svg-core, convert-svg-to-png, and convert-svg-to-jpeg are vulnerable to directory traversal via crafted SVG files, allowing arbitrary file read.
Vulnerability
All versions of the convert-svg-core, convert-svg-to-png, and convert-svg-to-jpeg packages are affected by a directory traversal vulnerability [1][2][3][4]. The packages use a headless Chromium instance to convert SVG input into PNG or JPEG images. When processing a specially crafted SVG file containing an ` element with a src attribute pointing to a file://` URL, Chromium fetches the local file and renders it. The resulting image includes the contents of the targeted file, leading to arbitrary file read [2].
Exploitation
An attacker must supply a malicious SVG document to an application that uses any of the affected packages to convert user‑supplied SVG files. The exploit requires no authentication if the application exposes the conversion endpoint publicly [1]. The proof‑of‑concept (PoC) provided by Aritra Chakraborty demonstrates sending an SVG that embeds an ` alongside valid SVG elements. When the application calls convert() on the SVG, the headless Chromium browser reads the local /etc/passwd` file and includes its content in the rendered bitmap, which is then returned as a PNG image to the attacker [2][3][4].
Impact
Successful exploitation results in information disclosure – the attacker can read arbitrary files on the server’s file system, such as /etc/passwd, application source code, or configuration secrets. The attacker obtains the file contents as the pixel data of the generated image. The confidentiality of the system is compromised; no modification of data or code execution is achieved [1][2].
Mitigation
Upgrade the affected packages to version 0.6.0 or higher, which addresses the directory traversal issue [2][3][4]. No workaround has been published that does not involve updating the package. At the time of disclosure, this vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
convert-svg-corenpm | <= 0.5.0 | — |
convert-svg-to-pngnpm | <= 0.5.0 | — |
convert-svg-to-jpegnpm | <= 0.5.0 | — |
Affected products
6<= 0.5.0+ 1 more
- (no CPE)range: <= 0.5.0
- (no CPE)
- ghsa-coords3 versions
<= 0.5.0+ 2 more
- (no CPE)range: <= 0.5.0
- (no CPE)range: <= 0.5.0
- (no CPE)range: <= 0.5.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-jv7g-9g6q-cxvwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-23631ghsaADVISORY
- gist.github.com/legndery/a248350bb25b8502a03c2f407cedeb14ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-CONVERTSVGCORE-1582785ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-CONVERTSVGTOJPEG-2348245ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-CONVERTSVGTOPNG-2348244ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.