CairoSVG vulnerable to Exponential DoS via recursive <use> element amplification
Description
CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to Kozea/CairoSVG has exponential denial of service via recursive element amplification in cairosvg/defs.py. This causes CPU exhaustion from a small input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CairoSVG has an exponential denial-of-service vulnerability via recursive element amplification, causing CPU exhaustion from a small SVG input.
Vulnerability
CairoSVG, an SVG converter based on Cairo, is vulnerable to exponential denial of service through recursive ` element amplification. The use() function in cairosvg/defs.py processes ` elements without any depth or count limits, allowing a small SVG to trigger an exponential number of rendering calls [1].
Exploitation
An attacker can craft a malicious SVG file with nested `` elements referencing each other. For example, with 5 levels of nesting and 10 references each, a 1,411-byte SVG triggers 10^5 = 100,000 render calls. No authentication is required; any service that accepts SVG input (e.g., thumbnailing, PDF generation) is exploitable [1].
Impact
Successful exploitation causes CPU exhaustion, pinning the CPU at 100% indefinitely. Memory usage remains flat at approximately 43 MB, so the process does not terminate via out-of-memory kill. This results in a denial-of-service condition from a small input [1].
Mitigation
The vulnerability has been addressed in commit 6dde8685ed3f19837767bce7a13a5491e3d0e3d0e0bf, which introduces a reference count limit of 100,000 referenced elements, aborting rendering when exceeded [3]. Users should update to the latest version of CairoSVG. No workaround is available other than avoiding untrusted SVG input [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
CairoSVGPyPI | < 2.9.0 | 2.9.0 |
Affected products
2- Kozea/CairoSVGv5Range: < 2.9.0
Patches
16dde8685ed3fAbort when more than 100k referenced elements are rendered
2 files changed · +4 −0
cairosvg/defs.py+3 −0 modified@@ -334,6 +334,9 @@ def apply_filter_after_painting(surface, node, name): def use(surface, node): """Draw the content of another SVG node.""" + surface.reference_count += 1 + if not node.unsafe and surface.reference_count > 100_000: + raise ValueError('Abort rendering: more than 100 000 referenced elements') surface.context.save() surface.context.translate( size(surface, node.get('x'), 'x'), size(surface, node.get('y'), 'y'))
cairosvg/surface.py+1 −0 modified@@ -163,6 +163,7 @@ def __init__(self, tree, output, dpi, parent_surface=None, self.cursor_d_position = [0, 0] self.text_path_width = 0 self.tree_cache = {(tree.url, tree.get('id')): tree} + self.reference_count = 0 if parent_surface: self.markers = parent_surface.markers self.gradients = parent_surface.gradients
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/advisories/GHSA-f38f-5xpm-9r7cghsaADVISORY
- github.com/Kozea/CairoSVG/commit/6dde8685ed3f19837767bce7a13a5491e3d0e0bfghsax_refsource_MISCWEB
- github.com/Kozea/CairoSVG/security/advisories/GHSA-f38f-5xpm-9r7cghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.