Apache Batik prior to 1.16 allows RCE via scripting
Description
A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Batik before 1.16 allows arbitrary Java code execution via JavaScript in untrusted SVG files, leading to information disclosure or SSRF.
Vulnerability
Overview
CVE-2022-42890 is a security flaw in Apache Batik, part of the Apache XML Graphics project, that permits an attacker to execute arbitrary Java code from untrusted SVG files through embedded JavaScript. The root cause is that Batik's SVG rasterizer uses the Rhino JavaScript engine without restricting which Java classes can be accessed from scripts, allowing malicious SVG content to invoke arbitrary Java methods [1][2][4].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious SVG file containing JavaScript that calls Java classes. No authentication is required; the victim only needs to process the SVG, for example by viewing it in a browser or converting it server-side. The attacker can then execute arbitrary Java code within the Batik process, potentially leading to information disclosure or server-side request forgery (SSRF) [1][4].
Impact
Successful exploitation can result in the disclosure of sensitive information, such as file contents or environment details, or allow the attacker to make network requests from the server (SSRF). The vulnerability is rated as Medium severity by both the Apache Security Team and NVD [3][4].
Mitigation
Users should upgrade to Apache Batik version 1.16 or later, which restricts the Java classes accessible from JavaScript. No workaround is available for earlier versions [1][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.xmlgraphics:batikMaven | < 1.16 | 1.16 |
org.apache.xmlgraphics:batik-bridgeMaven | < 1.16 | 1.16 |
Affected products
6- ghsa-coords5 versionspkg:maven/org.apache.xmlgraphics/batikpkg:maven/org.apache.xmlgraphics/batik-bridgepkg:rpm/opensuse/xmlgraphics-batik&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/xmlgraphics-batik&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP5pkg:rpm/suse/xmlgraphics-batik&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5
< 1.16+ 4 more
- (no CPE)range: < 1.16
- (no CPE)range: < 1.16
- (no CPE)range: < 1.17-150200.4.7.1
- (no CPE)range: < 1.17-150200.4.7.1
- (no CPE)range: < 1.17-2.7.1
- Apache Software Foundation/Apache XML Graphicsv5Range: Batik
Patches
3401aa8595f52BATIK-1345: Restrict what java classes can be run thru rhino
1 file changed · +1 −1
batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java+1 −1 modified@@ -59,7 +59,7 @@ public void test(String cls) { * Returns whether the given class is visible to scripts. */ public boolean visibleToScripts(String fullClassName) { - if (fullClassName.startsWith("java.") && !WHITELIST.contains(fullClassName) && !fullClassName.endsWith("Permission")) { + if (!WHITELIST.contains(fullClassName) && !fullClassName.endsWith("Permission") && !fullClassName.startsWith("org.")) { return false; }
eada57c716a2BATIK-1345: Restrict what java classes can be run thru rhino
1 file changed · +29 −0
batik-test-old/src/test/java/org/apache/batik/script/rhino/RhinoClassShutterTest.java+29 −0 added@@ -0,0 +1,29 @@ +/* + + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + + */ +package org.apache.batik.script.rhino; + +import org.junit.Assert; +import org.junit.Test; + +public class RhinoClassShutterTest { + @Test + public void testImports() { + Assert.assertFalse(new RhinoClassShutter().visibleToScripts("java.lang.Runtime")); + } +}
52f7a1ad6e31BATIK-1345: Restrict what java classes can be run thru rhino
1 file changed · +8 −0
batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java+8 −0 modified@@ -20,13 +20,17 @@ Licensed to the Apache Software Foundation (ASF) under one or more import org.mozilla.javascript.ClassShutter; +import java.util.Arrays; +import java.util.List; + /** * Class shutter that restricts access to Batik internals from script. * * @author <a href="mailto:deweese@apache.org">Thomas DeWeese</a> * @version $Id$ */ public class RhinoClassShutter implements ClassShutter { + private static final List<String> WHITELIST = Arrays.asList("java.io.PrintStream", "java.lang.System", "java.net.URL"); /* public RhinoClassShutter() { @@ -55,6 +59,10 @@ public void test(String cls) { * Returns whether the given class is visible to scripts. */ public boolean visibleToScripts(String fullClassName) { + if (fullClassName.startsWith("java.") && !WHITELIST.contains(fullClassName) && !fullClassName.endsWith("Permission")) { + return false; + } + // Don't let them mess with script engine's internals. if (fullClassName.startsWith("org.mozilla.javascript")) return false;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
13- github.com/advisories/GHSA-rwqr-m72q-v6cmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-42890ghsaADVISORY
- security.gentoo.org/glsa/202401-11ghsavendor-advisoryWEB
- www.debian.org/security/2022/dsa-5264ghsavendor-advisoryWEB
- svn.apache.org/repos/asf/xmlgraphics/batik/trunkghsaWEB
- www.openwall.com/lists/oss-security/2022/10/25/3ghsamailing-listWEB
- github.com/apache/xmlgraphics-batik/commit/401aa8595f52d085d40ff5b6b4ac0dd372423082ghsaWEB
- github.com/apache/xmlgraphics-batik/commit/52f7a1ad6e3110ec295a35ffc94410eef085707aghsaWEB
- github.com/apache/xmlgraphics-batik/commit/eada57c716a2757579d53017f8b2aeadaad20eddghsaWEB
- issues.apache.org/jira/browse/BATIK-1345ghsaWEB
- lists.apache.org/thread/pkvhy0nsj1h1mlon008wtzhosbtxjwlyghsaWEB
- lists.debian.org/debian-lts-announce/2022/10/msg00038.htmlghsamailing-listWEB
- xmlgraphics.apache.org/security.htmlghsaWEB
News mentions
0No linked articles in our index yet.