High severityNVD Advisory· Published Jun 10, 2022· Updated Sep 16, 2024

Directory Traversal

CVE-2022-24278

Description

The package convert-svg-core before 0.6.4 are vulnerable to Directory Traversal due to improper sanitization of SVG tags. Exploiting this vulnerability is possible by using a specially crafted SVG file.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

convert-svg-core before 0.6.4 is vulnerable to directory traversal via a specially crafted SVG file due to improper sanitization of SVG tags.

Vulnerability

The vulnerability in convert-svg-core (versions before 0.6.4) arises from improper sanitization of SVG tags. The library only sanitizes the first SVG element in the input, allowing attackers to bypass security measures by inserting a dummy ` element before the malicious payload [1][2]. This enables directory traversal, as a crafted SVG can include an onfocus` event handler with JavaScript that reads arbitrary files from the server filesystem [2].

Exploitation

To exploit the vulnerability, an attacker supplies a specially crafted SVG file to the conversion function. The proof-of-concept in reference [2] uses multiple SVG elements; the dummy ` passes the sanitization check, while subsequent malicious elements containing an onfocus event with base64-encoded JavaScript execute in the headless Chromium browser used by the library. The payload can include an iframe with src="file:///etc/passwd"`, enabling file read [2]. No authentication is required; the attacker only needs the ability to provide SVG content to the conversion process.

Impact

Successful exploitation allows an attacker to read sensitive files from the server, such as /etc/passwd, potentially leading to information disclosure and further compromise of the host [2][4]. The directory traversal can be used to access application source code, configuration files, and other critical system files [4].

Mitigation

The issue is fixed in version 0.6.4, where the library now processes only the first SVG element from the input, preventing the bypass through multiple elements [3][4]. Users are advised to upgrade immediately.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
convert-svg-corenpm	< 0.6.4	0.6.4

Affected products

convert-svg-core/convert-svg-coredescription
Neocotic/Convert Svgllm-fuzzy
Range: <0.6.4
ghsa-coords
pkg:npm/convert-svg-core
Range: < 0.6.4

Patches

2bbc498c5029

Convert only first SVG element from input

https://github.com/neocotic/convert-svgAlasdairJun 7, 2022via ghsa

commit

10 files changed · +9 −1

packages/convert-svg-core/src/Converter.js+1 −1 modified

@@ -261,7 +261,7 @@ class Converter {
     input = Buffer.isBuffer(input) ? input.toString('utf8') : input;
 
     const { provider } = this;
-    const svg = cheerio.default.html(this[_sanitize](cheerio.load(input, null, false)('svg'), options));
+    const svg = cheerio.default.html(this[_sanitize](cheerio.load(input, null, false)('svg:first'), options));
 
     if (!svg) {
       throw new Error('SVG element not found in input. Check the SVG input');

packages/convert-svg-test-helper/src/fixtures/input/issue-86.svg+2 −0 added

@@ -0,0 +1,2 @@
+<svg></svg>
+<svg viewBox="0 0 240 80" height="1000" width="1000" onload="eval(atob(this.id))" id="ZG9jdW1lbnQud3JpdGUoJzxzdmctZHVtbXk+PC9zdmctZHVtbXk+PGlmcmFtZSBzcmM9ImZpbGU6Ly8vZXRjL3Bhc3N3ZCIgd2lkdGg9IjEwMCUiIGhlaWdodD0iMTAwMHB4Ij48L2lmcmFtZT48c3ZnIHZpZXdCb3g9IjAgMCAyNDAgODAiIGhlaWdodD0iMTAwMCIgd2lkdGg9IjEwMDAiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+PHRleHQgeD0iMCIgeT0iMCIgY2xhc3M9IlJycnJyIiBpZD0iZGVtbyI+ZGF0YTwvdGV4dD48L3N2Zz4nKTs="></svg>

packages/convert-svg-test-helper/src/tests.json+6 −0 modified

@@ -168,6 +168,12 @@
     "file": "issue-81.svg",
     "message": "should strip onload attribute"
   },
+  {
+    "name": "when SVG has multiple SVG elements",
+    "file": "issue-86.svg",
+    "options": { "width": 1000, "height": 1000 },
+    "message": "should only read first SVG element"
+  },
   {
     "name": "when setting both baseFile and baseUrl options",
     "file": "external-file.svg",

packages/convert-svg-to-jpeg/test/fixtures/expected/29.jpeg+0 −0 added
packages/convert-svg-to-jpeg/test/fixtures/expected/36.jpeg+0 −0 removed
packages/convert-svg-to-jpeg/test/fixtures/expected/37.jpeg+0 −0 modified
packages/convert-svg-to-jpeg/test/fixtures/expected/38.jpeg+0 −0 modified
packages/convert-svg-to-jpeg/test/fixtures/expected/39.jpeg+0 −0 added
packages/convert-svg-to-png/test/fixtures/expected/29.png+0 −0 added
packages/convert-svg-to-webp/test/fixtures/expected/29.webp+0 −0 added

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-5f47-rcg5-9m24ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-24278ghsaADVISORY
github.com/neocotic/convert-svg/commit/2bbc498c5029238637206661dbac9e44d37d17c5ghsax_refsource_MISCWEB
github.com/neocotic/convert-svg/issues/86ghsax_refsource_MISCWEB
github.com/neocotic/convert-svg/pull/87ghsax_refsource_MISCWEB
snyk.io/vuln/SNYK-JS-CONVERTSVGCORE-2859830ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000