High severityNVD Advisory· Published Jun 10, 2022· Updated Sep 17, 2024
Arbitrary Code Injection
CVE-2022-24429
Description
The package convert-svg-core before 0.6.3 are vulnerable to Arbitrary Code Injection when using a specially crafted SVG file. An attacker can read arbitrary files from the file system and then show the file content as a converted PNG file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
convert-svg-core before 0.6.3 allows arbitrary code injection via crafted SVG, enabling file read and PNG output.
## Vulnerability convert-svg-core, a package for converting SVG to other formats using headless Chromium, is vulnerable to arbitrary code injection before version 0.6.3. The issue stems from insufficient sanitization of SVG element attributes, allowing event handlers like onfocus, onload, and autofocus to execute arbitrary JavaScript when the SVG is rendered [1][2].
Exploitation
An attacker can craft an SVG file containing event handler attributes that execute JavaScript code. The provided PoC uses onfocus and autofocus to trigger script execution, bypassing earlier fixes that only removed onload. The JavaScript can read arbitrary files from the file system (e.g., /etc/passwd) using an iframe with file:// protocol, and the file content is then embedded into the SVG, which gets converted to a PNG and returned to the attacker [3][4].
Impact
Successful exploitation allows an attacker to read arbitrary files from the server's file system, potentially leaking sensitive data like configuration files, credentials, or application source code. The attacker receives the file content as a converted PNG image, exfiltrating it via the application's output.
Mitigation
The vulnerability is fixed in convert-svg-core version 0.6.3, which introduces a whitelist of allowed SVG attributes and removes dangerous event handlers [2]. Users should upgrade to this version or later. No workarounds are available.
References
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
convert-svg-corenpm | < 0.6.3 | 0.6.3 |
Affected products
3- convert-svg-core/convert-svg-coredescription
- Range: <0.6.3
Patches
1a43dffaab0f1Remove all disallowed SVG element attributes
14 files changed · +171 −51
package.json+3 −0 modified@@ -18,6 +18,9 @@ "outdated:packages": "lerna exec --stream --no-bail \"npm outdated\"", "publish:packages": "lerna publish from-package", "test": "mocha -O maxDiffSize=32 -R list \"packages/*/test/**/*.spec.js\"", + "test:jpeg": "npm test -- --grep convert-svg-to-jpeg", + "test:png": "npm test -- --grep convert-svg-to-png", + "test:webp": "npm test -- --grep convert-svg-to-webp", "verify": "npm run bootstrap && npm run lint && npm test", "version:packages": "lerna version --no-git-tag-version --no-push" },
packages/convert-svg-core/README.md+6 −6 modified@@ -35,13 +35,13 @@ you can contribute. ## Implementation -In order to create a new SVG converter that uses `convert-svg-core`, you'll need to create a new sub-directory for your +In order to create a new SVG converter that uses `convert-svg-core`, you'll need to create a new subdirectory for your package under the [packages](https://github.com/neocotic/convert-svg/tree/main/packages) directory. Try to follow the `convert-svg-to-<FORMAT>` naming convention for the converter package name. -Take a look at the other packages in this directory to setup the new package directory. They are all very similar, by -design, as the you should just need to provide the minimal amount of information required to support your intended -output format. +Take a look at the other packages in this directory to set up the new package directory. They are all very similar, by +design, as you should just need to provide the minimal amount of information required to support your intended output +format. The most important thing that's needed is a implementation of [convert-svg-core/src/Provider](https://github.com/neocotic/convert-svg/blob/main/packages/convert-svg-core/src/Provider.js). @@ -63,7 +63,7 @@ const MyFormatProvider = require('./MyFormatProvider'); module.exports = new API(new MyFormatProvider()); ``` -Configure this in your `package.json` file and you're API is ready! +Configure this in your `package.json` file and your API is ready! ### CLI @@ -95,7 +95,7 @@ Make sure that your file is executable. For example; $ chmod a+x bin/<PACKAGE-NAME> ``` -Configure this in your `package.json` file and you're CLI is ready! +Configure this in your `package.json` file and your CLI is ready! ## Testing
packages/convert-svg-core/src/Converter.js+96 −6 modified@@ -35,12 +35,15 @@ const util = require('util'); const readFile = util.promisify(fs.readFile); const writeFile = util.promisify(fs.writeFile); +const _allowedAttributeNames = Symbol('allowedAttributeNames'); +const _allowedDeprecatedAttributeNames = Symbol('allowedDeprecatedAttributeNames'); const _browser = Symbol('browser'); const _convert = Symbol('convert'); const _destroyed = Symbol('destroyed'); const _getDimensions = Symbol('getDimensions'); const _getPage = Symbol('getPage'); const _getTempFile = Symbol('getTempFile'); +const _isAttributeAllowed = Symbol('isAttributeAllowed'); const _options = Symbol('options'); const _page = Symbol('page'); const _parseOptions = Symbol('parseOptions'); @@ -63,8 +66,8 @@ const _validate = Symbol('validate'); * it to convert a collection of SVG files to files in another format and then destroy it afterwards. It's not * recommended to keep an instance around for too long, as it will use up resources. * - * Due constraints within Chromium, the SVG input is first written to a temporary HTML file and then navigated to. This - * is because the default page for Chromium is using the <code>chrome</code> protocol so cannot load externally + * Due to constraints within Chromium, the SVG input is first written to a temporary HTML file and then navigated to. + * This is because the default page for Chromium is using the <code>chrome</code> protocol so cannot load externally * referenced files (e.g. that use the <code>file</code> protocol). This temporary file is reused for the lifespan of * each {@link Converter} instance and will be deleted when it is destroyed. * @@ -86,18 +89,82 @@ class Converter { constructor(provider, options) { this[_provider] = provider; this[_options] = Object.assign({}, options); + this[_allowedAttributeNames] = new Set([ + // Core + 'height', + 'preserveAspectRatio', + 'viewBox', + 'width', + 'x', + 'xmlns', + 'y', + // Conditional Processing + 'requiredExtensions', + 'systemLanguage', + // Presentation + 'clip-path', + 'clip-rule', + 'color', + 'color-interpolation', + 'cursor', + 'display', + 'fill', + 'fill-opacity', + 'fill-rule', + 'filter', + 'mask', + 'opacity', + 'overflow', + 'pointer-events', + 'shape-rendering', + 'stroke', + 'stroke-dasharray', + 'stroke-dashoffset', + 'stroke-linecap', + 'stroke-linejoin', + 'stroke-miterlimit', + 'stroke-opacity', + 'stroke-width', + 'style', + 'transform', + 'vector-effect', + 'visibility', + // XML + 'xml:lang', + 'xmlns', + 'xmlns:xlink' + ]); + this[_allowedDeprecatedAttributeNames] = new Set([ + // Core + 'baseProfile', + 'version', + 'zoomAndPan', + // Conditional Processing + 'requiredFeatures', + // Presentation + 'clip', + 'color-rendering', + 'enable-background', + // XML + 'xml:base', + 'xml:space' + ]); this[_destroyed] = false; } /** * Converts the specified <code>input</code> SVG into another format using the <code>options</code> provided. * - * <code>input</code> can either be a SVG buffer or string. + * <code>input</code> can either be an SVG buffer or string. * * If the width and/or height cannot be derived from <code>input</code> then they must be provided via their * corresponding options. This method attempts to derive the dimensions from <code>input</code> via any * <code>width</code>/<code>height</code> attributes or its calculated <code>viewBox</code> attribute. * + * Only standard SVG element attributes (excl. event attributes) are allowed and others are stripped from the SVG + * before being converted. This includes deprecated attributes unless the <code>allowDeprecatedAttributes</code> + * option is disabled. This is primarily for security purposes to ensure that malicious code cannot be injected. + * * This method is resolved with the converted output buffer. * * An error will occur if this {@link Converter} has been destroyed, both the <code>baseFile</code> and @@ -129,6 +196,10 @@ class Converter { * options. This method attempts to derive the dimensions from the input file via any * <code>width</code>/<code>height</code> attributes or its calculated <code>viewBox</code> attribute. * + * Only standard SVG element attributes (excl. event attributes) are allowed and others are stripped from the SVG + * before being converted. This includes deprecated attributes unless the <code>allowDeprecatedAttributes</code> + * option is disabled. This is primarily for security purposes to ensure that malicious code cannot be injected. + * * This method is resolved with the path of the converted output file for reference. * * An error will occur if this {@link Converter} has been destroyed, both the <code>baseFile</code> and @@ -190,7 +261,7 @@ class Converter { input = Buffer.isBuffer(input) ? input.toString('utf8') : input; const { provider } = this; - const svg = cheerio.default.html(this[_sanitize](cheerio.load(input, null, false)('svg'))); + const svg = cheerio.default.html(this[_sanitize](cheerio.load(input, null, false)('svg'), options)); if (!svg) { throw new Error('SVG element not found in input. Check the SVG input'); @@ -321,6 +392,11 @@ html { background-color: ${provider.getBackgroundColor(options)}; } }); } + [_isAttributeAllowed](attributeName, options) { + return this[_allowedAttributeNames].has(attributeName) || + (options.allowDeprecatedAttributes && this[_allowedDeprecatedAttributeNames].has(attributeName)); + } + [_parseOptions](options, inputFilePath) { options = Object.assign({}, options); @@ -334,6 +410,10 @@ html { background-color: ${provider.getBackgroundColor(options)}; } options.outputFilePath = path.join(outputDirPath, outputFileName); } + if (typeof options.allowDeprecatedAttributes !== 'boolean') { + options.allowDeprecatedAttributes = true; + } + if (options.baseFile != null && options.baseUrl != null) { throw new Error('Both baseFile and baseUrl options specified. Use only one'); } @@ -385,8 +465,16 @@ html { background-color: ${provider.getBackgroundColor(options)}; } }; } - [_sanitize](svg) { - return svg.removeAttr('onload'); + [_sanitize](svg, options) { + const attributeNames = Object.keys(svg.attr() || {}); + + for (const attributeName of attributeNames) { + if (!this[_isAttributeAllowed](attributeName, options)) { + svg.removeAttr(attributeName); + } + } + + return svg; } async [_setDimensions](page, dimensions) { @@ -457,6 +545,8 @@ module.exports = Converter; * The options that can be passed to {@link Converter#convert}. * * @typedef {Object} Converter~ConvertOptions + * @property {boolean} [allowDeprecatedAttributes=true] - Whether deprecated SVG element attributes should be retained + * in the SVG during conversion. * @property {string} [background] - The background color to be used to fill transparent regions within the SVG. If * omitted, the {@link Provider} will determine the default background color. * @property {string} [baseFile] - The path of the file to be converted into a file URL to use for all relative URLs
packages/convert-svg-test-helper/src/fixtures/input/data-url-font.svg+1 −1 modified@@ -1,4 +1,4 @@ -<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="100%" height="100%" viewPort="0 0 1000 1000"> +<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="100%" height="100%" viewBox="0 0 1000 1000"> <circle cx="230" cy="230" r="230" fill="#E91E63" /> <text x="230" y="235" alignment-baseline="central" text-anchor="middle" fill="#fff" font-size="275" font-weight="100" font-family="Roboto">X</text> <defs>
packages/convert-svg-test-helper/src/fixtures/input/viewbox-only-2.svg+1 −1 modified@@ -1,6 +1,6 @@ <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> -<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" viewBox="0 0 100 99.864" enable-background="new 0 0 100 99.864" xml:space="preserve"> +<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" viewBox="0 0 100 99.864" style="enable-background: new 0 0 100 99.864" xml:space="preserve"> <rect x="0" y="0" width="100" height="100" fill="#808080"/> <path fill="#231F20" d="M83.713,63.42c-0.307-1.176-0.998-2.188-1.795-3.023c0.539-2.354,0.832-4.801,0.832-7.314 C77.318,54.467,77.18,55.815,76.98,57.143"></path>
packages/convert-svg-test-helper/src/fixtures/input/width-height-viewbox-2.svg+1 −1 modified@@ -2,7 +2,7 @@ <!-- Generator: Adobe Illustrator 17.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 0) --> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" - width="100px" height="100px" viewBox="206 206 100 100" enable-background="new 206 206 100 100" xml:space="preserve"> + width="100px" height="100px" viewBox="206 206 100 100" style="enable-background: new 206 206 100 100" xml:space="preserve"> <path id="check-mark-3-icon" d="M256,206c-27.614,0-50,22.386-50,50s22.386,50,50,50s50-22.386,50-50S283.614,206,256,206z M247.493,282.932l-23.623-23.629l10.058-10.06l13.564,13.568l31.315-31.315l10.063,10.056L247.493,282.932z"/> </svg>
packages/convert-svg-test-helper/src/fixtures/input/width-height-viewbox-3.svg+1 −1 modified@@ -2,7 +2,7 @@ <!-- Generator: Adobe Illustrator 18.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 0) --> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" - width="148px" height="35px" viewBox="0.3 0 148 35" enable-background="new 0.3 0 148 35" xml:space="preserve"> + width="148px" height="35px" viewBox="0.3 0 148 35" style="enable-background: new 0.3 0 148 35" xml:space="preserve"> <g> <g> <path fill="#2AB098" d="M25.9,17.7c0-3.3-2.7-6-6-6s-6,2.7-6,6s2.7,6,6,6S25.9,21,25.9,17.7 M20,27.2c-5.3,0-9.6-4.3-9.6-9.6
packages/convert-svg-test-helper/src/fixtures/input/width-height-viewbox.svg+1 −1 modified@@ -2,7 +2,7 @@ <!-- Generator: Adobe Illustrator 14.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 43363) --> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" - width="505px" height="505px" viewBox="0 0 505 505" enable-background="new 0 0 505 505" xml:space="preserve"> + width="505px" height="505px" viewBox="0 0 505 505" style="enable-background: new 0 0 505 505" xml:space="preserve"> <rect y="0.498" fill="#FBDE34" width="504.67" height="504.442"/> <g> <path fill="#524739" d="M217.503,388.691v14.757h-16.155v39.766c0,3.729,0.621,6.214,1.864,7.457
packages/convert-svg-to-jpeg/README.md+21 −12 modified@@ -67,30 +67,35 @@ The CLI can be used in the following ways: Converts the specified `input` SVG into a JPEG using the `options` provided via a headless Chromium instance. -`input` can either be a SVG buffer or string. +`input` can either be an SVG buffer or string. If the width and/or height cannot be derived from `input` then they must be provided via their corresponding options. This method attempts to derive the dimensions from `input` via any `width`/`height` attributes or its calculated `viewBox` attribute. +Only standard SVG element attributes (excl. event attributes) are allowed and others are stripped from the SVG before +being converted. This includes deprecated attributes unless the `allowDeprecatedAttributes` option is disabled. This is +primarily for security purposes to ensure that malicious code cannot be injected. + This method is resolved with the JPEG output buffer. An error will occur if both the `baseFile` and `baseUrl` options have been provided, `input` does not contain an SVG element or no `width` and/or `height` options were provided and this information could not be derived from `input`. #### Options -| Option | Type | Default | Description | -|--------------|------------------------|-------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `background` | String | N/A | Background color to be used to fill transparent regions within the SVG. White will be used if omitted. | -| `baseFile` | String | N/A | Path of the file to be converted into a file URL to use for all relative URLs contained within the SVG. Cannot be used in conjunction with the `baseUrl` option. | -| `baseUrl` | String | `"file:///path/to/cwd"` | Base URL to use for all relative URLs contained within the SVG. Cannot be used in conjunction with the `baseFile` option. | -| `height` | Number/String | N/A | Height of the output to be generated. Derived from SVG input if omitted. | -| `puppeteer` | Object | N/A | Options that are to be passed directly to `puppeteer.launch` when creating the `Browser` instance. | -| `quality` | Number | `100` | Quality of the output to be generated. | -| `rounding` | `ceil`/`floor`/`round` | `"round"` | Type of rounding to be applied to the width and height. | -| `scale` | Number | `1` | Scale to be applied to the width and height (specified as options or derived). | -| `width` | Number/String | N/A | Width of the output to be generated. Derived from SVG input if omitted. | +| Option | Type | Default | Description | +|-----------------------------|------------------------|-------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `allowDeprecatedAttributes` | Boolean | `true` | Whether deprecated SVG element attributes should be retained in the SVG during conversion. | +| `background` | String | N/A | Background color to be used to fill transparent regions within the SVG. White will be used if omitted. | +| `baseFile` | String | N/A | Path of the file to be converted into a file URL to use for all relative URLs contained within the SVG. Cannot be used in conjunction with the `baseUrl` option. | +| `baseUrl` | String | `"file:///path/to/cwd"` | Base URL to use for all relative URLs contained within the SVG. Cannot be used in conjunction with the `baseFile` option. | +| `height` | Number/String | N/A | Height of the output to be generated. Derived from SVG input if omitted. | +| `puppeteer` | Object | N/A | Options that are to be passed directly to `puppeteer.launch` when creating the `Browser` instance. | +| `quality` | Number | `100` | Quality of the output to be generated. | +| `rounding` | `ceil`/`floor`/`round` | `"round"` | Type of rounding to be applied to the width and height. | +| `scale` | Number | `1` | Scale to be applied to the width and height (specified as options or derived). | +| `width` | Number/String | N/A | Width of the output to be generated. Derived from SVG input if omitted. | The `puppeteer` option is not available when calling this method on a `Converter` instance created using `createConverter`. @@ -123,6 +128,10 @@ If the width and/or height cannot be derived from the input file then they must options. This method attempts to derive the dimensions from the input file via any `width`/`height` attributes or its calculated `viewBox` attribute. +Only standard SVG element attributes (excl. event attributes) are allowed and others are stripped from the SVG before +being converted. This includes deprecated attributes unless the `allowDeprecatedAttributes` option is disabled. This is +primarily for security purposes to ensure that malicious code cannot be injected. + This method is resolved with the path of the JPEG output file for reference. An error will occur if both the `baseFile` and `baseUrl` options have been provided, the input file does not contain an
packages/convert-svg-to-jpeg/test/fixtures/expected/20.jpeg+0 −0 modifiedpackages/convert-svg-to-png/README.md+20 −11 modified@@ -66,29 +66,34 @@ The CLI can be used in the following ways: Converts the specified `input` SVG into a PNG using the `options` provided via a headless Chromium instance. -`input` can either be a SVG buffer or string. +`input` can either be an SVG buffer or string. If the width and/or height cannot be derived from `input` then they must be provided via their corresponding options. This method attempts to derive the dimensions from `input` via any `width`/`height` attributes or its calculated `viewBox` attribute. +Only standard SVG element attributes (excl. event attributes) are allowed and others are stripped from the SVG before +being converted. This includes deprecated attributes unless the `allowDeprecatedAttributes` option is disabled. This is +primarily for security purposes to ensure that malicious code cannot be injected. + This method is resolved with the PNG output buffer. An error will occur if both the `baseFile` and `baseUrl` options have been provided, `input` does not contain an SVG element or no `width` and/or `height` options were provided and this information could not be derived from `input`. #### Options -| Option | Type | Default | Description | -|--------------|------------------------|-------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `background` | String | N/A | Background color to be used to fill transparent regions within the SVG. Will remain transparent if omitted. | -| `baseFile` | String | N/A | Path of the file to be converted into a file URL to use for all relative URLs contained within the SVG. Cannot be used in conjunction with the `baseUrl` option. | -| `baseUrl` | String | `"file:///path/to/cwd"` | Base URL to use for all relative URLs contained within the SVG. Cannot be used in conjunction with the `baseFile` option. | -| `height` | Number/String | N/A | Height of the output to be generated. Derived from SVG input if omitted. | -| `puppeteer` | Object | N/A | Options that are to be passed directly to `puppeteer.launch` when creating the `Browser` instance. | -| `rounding` | `ceil`/`floor`/`round` | `"round"` | Type of rounding to be applied to the width and height. | -| `scale` | Number | `1` | Scale to be applied to the width and height (specified as options or derived). | -| `width` | Number/String | N/A | Width of the output to be generated. Derived from SVG input if omitted. | +| Option | Type | Default | Description | +|-----------------------------|------------------------|-------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `allowDeprecatedAttributes` | Boolean | `true` | Whether deprecated SVG element attributes should be retained in the SVG during conversion. | +| `background` | String | N/A | Background color to be used to fill transparent regions within the SVG. Will remain transparent if omitted. | +| `baseFile` | String | N/A | Path of the file to be converted into a file URL to use for all relative URLs contained within the SVG. Cannot be used in conjunction with the `baseUrl` option. | +| `baseUrl` | String | `"file:///path/to/cwd"` | Base URL to use for all relative URLs contained within the SVG. Cannot be used in conjunction with the `baseFile` option. | +| `height` | Number/String | N/A | Height of the output to be generated. Derived from SVG input if omitted. | +| `puppeteer` | Object | N/A | Options that are to be passed directly to `puppeteer.launch` when creating the `Browser` instance. | +| `rounding` | `ceil`/`floor`/`round` | `"round"` | Type of rounding to be applied to the width and height. | +| `scale` | Number | `1` | Scale to be applied to the width and height (specified as options or derived). | +| `width` | Number/String | N/A | Width of the output to be generated. Derived from SVG input if omitted. | The `puppeteer` option is not available when calling this method on a `Converter` instance created using `createConverter`. @@ -121,6 +126,10 @@ If the width and/or height cannot be derived from the input file then they must options. This method attempts to derive the dimensions from the input file via any `width`/`height` attributes or its calculated `viewBox` attribute. +Only standard SVG element attributes (excl. event attributes) are allowed and others are stripped from the SVG before +being converted. This includes deprecated attributes unless the `allowDeprecatedAttributes` option is disabled. This is +primarily for security purposes to ensure that malicious code cannot be injected. + This method is resolved with the path of the PNG output file for reference. An error will occur if both the `baseFile` and `baseUrl` options have been provided, the input file does not contain an
packages/convert-svg-to-png/test/fixtures/expected/20.png+0 −0 modifiedpackages/convert-svg-to-webp/README.md+20 −11 modified@@ -66,29 +66,34 @@ The CLI can be used in the following ways: Converts the specified `input` SVG into a WEBP using the `options` provided via a headless Chromium instance. -`input` can either be a SVG buffer or string. +`input` can either be an SVG buffer or string. If the width and/or height cannot be derived from `input` then they must be provided via their corresponding options. This method attempts to derive the dimensions from `input` via any `width`/`height` attributes or its calculated `viewBox` attribute. +Only standard SVG element attributes (excl. event attributes) are allowed and others are stripped from the SVG before +being converted. This includes deprecated attributes unless the `allowDeprecatedAttributes` option is disabled. This is +primarily for security purposes to ensure that malicious code cannot be injected. + This method is resolved with the WEBP output buffer. An error will occur if both the `baseFile` and `baseUrl` options have been provided, `input` does not contain an SVG element or no `width` and/or `height` options were provided and this information could not be derived from `input`. #### Options -| Option | Type | Default | Description | -|--------------|------------------------|-------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `background` | String | N/A | Background color to be used to fill transparent regions within the SVG. Will remain transparent if omitted. | -| `baseFile` | String | N/A | Path of the file to be converted into a file URL to use for all relative URLs contained within the SVG. Cannot be used in conjunction with the `baseUrl` option. | -| `baseUrl` | String | `"file:///path/to/cwd"` | Base URL to use for all relative URLs contained within the SVG. Cannot be used in conjunction with the `baseFile` option. | -| `height` | Number/String | N/A | Height of the output to be generated. Derived from SVG input if omitted. | -| `puppeteer` | Object | N/A | Options that are to be passed directly to `puppeteer.launch` when creating the `Browser` instance. | -| `rounding` | `ceil`/`floor`/`round` | `"round"` | Type of rounding to be applied to the width and height. | -| `scale` | Number | `1` | Scale to be applied to the width and height (specified as options or derived). | -| `width` | Number/String | N/A | Width of the output to be generated. Derived from SVG input if omitted. | +| Option | Type | Default | Description | +|-----------------------------|------------------------|-------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `allowDeprecatedAttributes` | Boolean | `true` | Whether deprecated SVG element attributes should be retained in the SVG during conversion. | +| `background` | String | N/A | Background color to be used to fill transparent regions within the SVG. Will remain transparent if omitted. | +| `baseFile` | String | N/A | Path of the file to be converted into a file URL to use for all relative URLs contained within the SVG. Cannot be used in conjunction with the `baseUrl` option. | +| `baseUrl` | String | `"file:///path/to/cwd"` | Base URL to use for all relative URLs contained within the SVG. Cannot be used in conjunction with the `baseFile` option. | +| `height` | Number/String | N/A | Height of the output to be generated. Derived from SVG input if omitted. | +| `puppeteer` | Object | N/A | Options that are to be passed directly to `puppeteer.launch` when creating the `Browser` instance. | +| `rounding` | `ceil`/`floor`/`round` | `"round"` | Type of rounding to be applied to the width and height. | +| `scale` | Number | `1` | Scale to be applied to the width and height (specified as options or derived). | +| `width` | Number/String | N/A | Width of the output to be generated. Derived from SVG input if omitted. | The `puppeteer` option is not available when calling this method on a `Converter` instance created using `createConverter`. @@ -121,6 +126,10 @@ If the width and/or height cannot be derived from the input file then they must options. This method attempts to derive the dimensions from the input file via any `width`/`height` attributes or its calculated `viewBox` attribute. +Only standard SVG element attributes (excl. event attributes) are allowed and others are stripped from the SVG before +being converted. This includes deprecated attributes unless the `allowDeprecatedAttributes` option is disabled. This is +primarily for security purposes to ensure that malicious code cannot be injected. + This method is resolved with the path of the WEBP output file for reference. An error will occur if both the `baseFile` and `baseUrl` options have been provided, the input file does not contain an
packages/convert-svg-to-webp/test/fixtures/expected/20.webp+0 −0 modified
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-54px-mhwv-5v8xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-24429ghsaADVISORY
- github.com/neocotic/convert-svg/commit/a43dffaab0f1e419d5be84e2e7356b86ffac3cf1ghsax_refsource_MISCWEB
- github.com/neocotic/convert-svg/issues/84ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-CONVERTSVGCORE-2859212ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.