Skip to main content

Deserialization of Untrusted Data

CVE-2024-25117

Severity Medium
Score 6.8/10

Summary

The package php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering library. In versions before 0.5.2, php-svg-lib fails to validate that font-family doesn't contain a "PHAR" URL, which might lead to RCE on PHP < 8.0, and doesn't validate if external references are allowed. This might lead to bypassing restrictions or RCE on projects that are using it if they do not strictly revalidate the fontName passed by php-svg-lib. The 'Style::fromAttributes('), or the 'Style::parseCssStyle()' should check the content of the `font-family` and prevent it from using a "PHAR" url, to avoid passing an invalid and dangerous `fontName` value to other libraries. The same check as done in the `Style::fromStyleSheets` might be reused. Libraries using this library as a dependency might be vulnerable to some bypass of restrictions, or even remote code execution if they do not double-check the value of the 'fontName' that is passed by php-svg-lib.

  • LOW
  • LOCAL
  • LOW
  • CHANGED
  • NONE
  • NONE
  • LOW
  • LOW

CWE-502 - Deserialization of Untrusted Data

Deserialization of untrusted data vulnerabilities enable an attacker to replace or manipulate a serialized object, replacing it with malicious data. When the object is deserialized at the victim's end the malicious data is able to compromise the victim’s system. The exploit can be devastating, its impact may range from privilege escalation, broken access control, or denial of service attacks to allowing unauthorized access to the application's internal code and logic which can compromise the entire system.

Advisory Timeline

  • Published