CVE CyberSecurity Database News

CVE-2025-25977 - Remote Code Execution in canvg v4..2 via StyleElement Constructor

Poster -

A new critical security flaw, CVE-2025-25977, has been discovered in canvg, a popular JavaScript library for rendering SVGs on Canvas. This vulnerability affects version v4..2 and could let attackers run arbitrary code in your users’ browsers simply by tricking your app into loading a malicious SVG. In this post, we’ll break down what happened, show simple code snippets, explain the cause, and include exploit details so you can fully understand—and defend against—this threat.

What is Canvg?

Canvg is an open-source library widely used to convert and render SVG images inside the <canvas> HTML element. This makes it a key dependency for dashboards, visualizers, and apps that deal with dynamic SVG content.

Discovery

Security researchers found that the StyleElement class in canvg v4..2 has a constructor that does not sanitize input. This means carefully crafted SVG files can create a situation where JavaScript code is executed directly when an SVG is loaded—leading to Remote Code Execution (RCE).

Here’s the affected code in StyleElement.js

class StyleElement {
  constructor(document, node, children) {
    this.cssText = node.textContent || '';
    // vulnerable: node.textContent comes from untrusted SVG
    // no sanitization before processing CSS
    // ...
  }
}

Notice the use of node.textContent. If the SVG file contains malicious <style> tags, those contents get handled, and during parsing (especially if later eval’d or passed to dangerous APIs), arbitrary JavaScript may end up running.

Let’s say canvg loads the SVG below

<svg width="100" height="100">
  <style>
    body { background: red; }
    /* Next line closes style, starts script */
    </style><script>alert('Hacked!');</script>
  <rect width="100" height="100" fill="blue" />
</svg>

If your application lets users upload or set arbitrary SVG, an attacker could inject <script> or similar payloads in a <style>, which, due to the bug, get executed as code in your app.

XSS: Injecting scripts that steal cookies, session data, or perform actions as the user.

- RCE: With enough privileges, remote code execution in node.js apps that use canvg server-side (less common but possible).
- Supply-chain Attacks: Third-party SVGs embedded in sensitive dashboards, analytics, or profile icons could all be vectors.

Quick Mitigation

- Upgrade canvg: As of publishing, update to the latest version where the StyleElement constructor sanitizes input. Watch for patches at canvg releases.
- SVG Input Validation: Never trust uploaded or remote SVGs. Sanitize them using tools like sanitize-svg _before_ passing to canvg.

References

- Offical canvg repo
- NVD Entry for CVE-2025-25977 *(pending)*
- Common SVG Security Issues_Processing)

Conclusion

CVE-2025-25977 illustrates once again how easy it is to overlook dangerous user-supplied input in third-party libraries. If your app or service uses canvg prior to the latest patch, act now to patch and sanitize all SVG uploads and sources.

Let your team know, and help keep the web safe!

*If you liked this post or noticed something I missed, drop a note in the comments or check out the full canvg source here.*

Timeline

Published on: 03/10/2025 16:15:13 UTC
Last modified on: 03/12/2025 19:15:40 UTC