VYPR
← All advisories
Moderate severityNVD Advisory· Published Sep 22, 2022· Updated Nov 3, 2025

PDFTranscoder does not block external resources

CVE-2022-38648

Description

Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Server-Side Request Forgery in Apache Batik 1.14 allows attackers to fetch external resources via crafted SVG, leading to potential data exfiltration.

Vulnerability

Overview

CVE-2022-38648 is a Server-Side Request Forgery (SSRF) vulnerability in Apache XML Graphics Batik version 1.14. The root cause is that Batik's SVG processing does not validate external resource requests before fetching them, allowing an attacker to force the application to make arbitrary HTTP requests. The fix, introduced in commit 996aa8897c208be11ce65cef00c9576a299b2637, adds a checkLoadExternalResource call to block unauthorized external resources [1][2].

Exploitation

An attacker can exploit this vulnerability by providing a malicious SVG document that references external URLs (e.g., via ` or ` elements). If the application processes user-supplied SVG content without proper validation, the SSRF can be triggered. No authentication is required if the SVG is processed in a context that trusts user input. The attacker can target internal network resources that are not normally accessible from the internet [1].

Impact

Successful exploitation allows an attacker to fetch internal resources, such as cloud metadata endpoints, internal services, or sensitive files. This can lead to information disclosure, lateral movement, or further compromise of the internal network. The vulnerability is rated with a CVSS score of 7.5 (High) due to the potential for significant impact [1].

Mitigation

The vulnerability is fixed in Apache Batik version 1.15. Users running Batik 1.14 or earlier should upgrade immediately. The Jira issue BATIK-1333 tracks the resolution and confirms the fix [3]. No workarounds are documented; upgrading is the recommended action.

References
  1. NVD - CVE-2022-38648
  2. BATIK-1333: Block external resource before calling fop · apache/xmlgraphics-batik@996aa88
  3. [BATIK-1333] Block external resource before calling fop

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.xmlgraphics:batikMaven
< 1.151.15
org.apache.xmlgraphics:batik-bridgeMaven
< 1.151.15

Affected products

4

Patches

1
996aa8897c20

BATIK-1333: Block external resource before calling fop

https://github.com/apache/xmlgraphics-batikSimon SteinerAug 22, 2022via ghsa
commit
2 files changed · +74 16
  • batik-bridge/src/main/java/org/apache/batik/bridge/SVGImageElementBridge.java+16 16 modified
    @@ -175,33 +175,33 @@ public GraphicsNode createGraphicsNode(BridgeContext ctx, Element e) {
         } else {
             purl = new ParsedURL(baseURI, uriStr);
         }
-
+        checkLoadExternalResource(ctx, e, purl);
         return createImageGraphicsNode(ctx, e, purl);
     }
 
-    protected GraphicsNode createImageGraphicsNode(BridgeContext ctx,
-                                                   Element e,
-                                                   ParsedURL purl) {
-        Rectangle2D bounds = getImageBounds(ctx, e);
-        if ((bounds.getWidth() == 0) || (bounds.getHeight() == 0)) {
-            ShapeNode sn = new ShapeNode();
-            sn.setShape(bounds);
-            return sn;
-        }
-
+    private void checkLoadExternalResource(BridgeContext ctx, Element e, ParsedURL purl) {
         SVGDocument svgDoc = (SVGDocument)e.getOwnerDocument();
         String docURL = svgDoc.getURL();
         ParsedURL pDocURL = null;
-        if (docURL != null)
+        if (docURL != null) {
             pDocURL = new ParsedURL(docURL);
-
+        }
         UserAgent userAgent = ctx.getUserAgent();
-
         try {
             userAgent.checkLoadExternalResource(purl, pDocURL);
         } catch (SecurityException secEx ) {
-            throw new BridgeException(ctx, e, secEx, ERR_URI_UNSECURE,
-                                      new Object[] {purl});
+            throw new BridgeException(ctx, e, secEx, ERR_URI_UNSECURE, new Object[] {purl});
+        }
+    }
+
+    protected GraphicsNode createImageGraphicsNode(BridgeContext ctx,
+                                                   Element e,
+                                                   ParsedURL purl) {
+        Rectangle2D bounds = getImageBounds(ctx, e);
+        if ((bounds.getWidth() == 0) || (bounds.getHeight() == 0)) {
+            ShapeNode sn = new ShapeNode();
+            sn.setShape(bounds);
+            return sn;
         }
 
         DocumentLoader loader = ctx.getDocumentLoader();
  • batik-test-old/src/test/java/org/apache/batik/bridge/SVGImageElementBridgeTestCase.java+58 0 added
    @@ -0,0 +1,58 @@
+/*
+
+   Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
+ */
+package org.apache.batik.bridge;
+
+import org.apache.batik.anim.dom.SVGDOMImplementation;
+import org.apache.batik.anim.dom.SVGOMImageElement;
+import org.apache.batik.dom.AbstractDocument;
+import org.apache.batik.gvt.GraphicsNode;
+import org.apache.batik.util.ParsedURL;
+import org.junit.Assert;
+import org.junit.Test;
+import org.w3c.dom.DOMImplementation;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+public class SVGImageElementBridgeTestCase {
+    @Test
+    public void testNoLoadExternalResourceSecurity() {
+        DOMImplementation impl = SVGDOMImplementation.getDOMImplementation();
+        String svgNS = SVGDOMImplementation.SVG_NAMESPACE_URI;
+        Document doc = impl.createDocument(svgNS, "svg", null);
+        SVGOMImageElement imageElement = new SVGOMImageElement("", (AbstractDocument) doc);
+        imageElement.setAttributeNS("http://www.w3.org/1999/xlink","href", "http://localhost/x");
+        UserAgentAdapter userAgentAdapter = new UserAgentAdapter() {
+            public ExternalResourceSecurity getExternalResourceSecurity(ParsedURL resourceURL, ParsedURL docURL) {
+                return new NoLoadExternalResourceSecurity();
+            }
+        };
+        SVGImageElementBridge imageElementBridge = new SVGImageElementBridge() {
+            protected GraphicsNode createImageGraphicsNode(BridgeContext ctx, Element e, ParsedURL purl) {
+                return null;
+            }
+        };
+        String msg = "";
+        try {
+            imageElementBridge.buildImageGraphicsNode(new BridgeContext(userAgentAdapter), imageElement);
+        } catch (BridgeException e) {
+            msg = e.getMessage();
+        }
+        Assert.assertEquals(msg, "The security settings do not allow any external resources to be referenced from the document");
+    }
+}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.