{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31899", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T21:59:02.689Z", "datePublished": "2026-03-13T19:38:43.990Z", "dateUpdated": "2026-03-16T13:39:14.684Z"}, "containers": {"cna": {"title": "CairoSVG vulnerable to Exponential DoS via recursive <use> element amplification", "problemTypes": [{"descriptions": [{"cweId": "CWE-674", "lang": "en", "description": "CWE-674: Uncontrolled Recursion", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/Kozea/CairoSVG/security/advisories/GHSA-f38f-5xpm-9r7c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Kozea/CairoSVG/security/advisories/GHSA-f38f-5xpm-9r7c"}, {"name": "https://github.com/Kozea/CairoSVG/commit/6dde8685ed3f19837767bce7a13a5491e3d0e0bf", "tags": ["x_refsource_MISC"], "url": "https://github.com/Kozea/CairoSVG/commit/6dde8685ed3f19837767bce7a13a5491e3d0e0bf"}], "affected": [{"vendor": "Kozea", "product": "CairoSVG", "versions": [{"version": "< 2.9.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-13T19:38:43.990Z"}, "descriptions": [{"lang": "en", "value": "CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to Kozea/CairoSVG has exponential denial of service via recursive <use> element amplification in cairosvg/defs.py. This causes CPU exhaustion from a small input."}], "source": {"advisory": "GHSA-f38f-5xpm-9r7c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T13:37:56.879562Z", "id": "CVE-2026-31899", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T13:39:14.684Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31899", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T13:37:56.879562Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T13:38:58.120Z"}}], "cna": {"title": "CairoSVG vulnerable to Exponential DoS via recursive <use> element amplification", "source": {"advisory": "GHSA-f38f-5xpm-9r7c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Kozea", "product": "CairoSVG", "versions": [{"status": "affected", "version": "< 2.9.0"}]}], "references": [{"url": "https://github.com/Kozea/CairoSVG/security/advisories/GHSA-f38f-5xpm-9r7c", "name": "https://github.com/Kozea/CairoSVG/security/advisories/GHSA-f38f-5xpm-9r7c", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Kozea/CairoSVG/commit/6dde8685ed3f19837767bce7a13a5491e3d0e0bf", "name": "https://github.com/Kozea/CairoSVG/commit/6dde8685ed3f19837767bce7a13a5491e3d0e0bf", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to Kozea/CairoSVG has exponential denial of service via recursive <use> element amplification in cairosvg/defs.py. This causes CPU exhaustion from a small input."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-674", "description": "CWE-674: Uncontrolled Recursion"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-13T19:38:43.990Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31899", "state": "PUBLISHED", "dateUpdated": "2026-03-16T13:39:14.684Z", "dateReserved": "2026-03-09T21:59:02.689Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-13T19:38:43.990Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:courtbouillon:cairosvg:*:*:*:*:*:*:*:*", "matchCriteriaId": "901094B9-8320-4ACD-BE63-925FC6B199E1", "versionEndExcluding": "2.9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to Kozea/CairoSVG has exponential denial of service via recursive <use> element amplification in cairosvg/defs.py. This causes CPU exhaustion from a small input."}], "id": "CVE-2026-31899", "lastModified": "2026-03-18T15:16:48.653", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-13T19:54:38.190", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/Kozea/CairoSVG/commit/6dde8685ed3f19837767bce7a13a5491e3d0e0bf"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/Kozea/CairoSVG/security/advisories/GHSA-f38f-5xpm-9r7c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-674"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "CairoSVG: CairoSVG: Denial of Service via recursive <use> element amplification", "id": "2447447", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447447"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-776", "details": ["A flaw was found in CairoSVG, an SVG converter. A remote attacker could exploit this vulnerability by submitting a specially crafted SVG file that contains recursive `<use>` elements. This can lead to an exponential increase in processing time and CPU exhaustion, resulting in a Denial of Service (DoS) for the system."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, avoid processing untrusted SVG files with CairoSVG. If processing untrusted SVG content is unavoidable, consider isolating the CairoSVG processing within a sandboxed environment to limit potential resource exhaustion."}, "name": "CVE-2026-31899", "public_date": "2026-03-13T19:38:43Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31899\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31899\nhttps://github.com/Kozea/CairoSVG/commit/6dde8685ed3f19837767bce7a13a5491e3d0e0bf\nhttps://github.com/Kozea/CairoSVG/security/advisories/GHSA-f38f-5xpm-9r7c"], "statement": "This is an IMPORTANT denial of service vulnerability in CairoSVG, affecting systems that process untrusted SVG input. The flaw allows an attacker to trigger exponential CPU exhaustion through recursive `<use>` element amplification. Red Hat products that include `python-cairosvg` and process untrusted SVG content are affected.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.9.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "CairoSVG", "source": "cna", "vendor": "Kozea"}, "product": "cairosvg", "vendor": "kozea"}], "analysis": {"en": {"generated_at": "2026-03-18T16:24:16.013771+00:00", "value": {"mitigation_remediation": ["Apply the latest CairoSVG release that contains the recursion mitigation patch", "If an update cannot be applied immediately, reject or sanitize incoming SVG files that use the <use> element, or enforce strict size and recursion limits", "Implement monitoring of CPU usage for the rendering process and apply rate limiting to mitigate heavy loads", "Stay informed of vendor advisories and follow any additional recommended controls"], "summary": {"action": "Apply patch", "impact": "Denial of Service (CPU exhaustion)"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in the Kozea:CairoSVG library. Version information for affected releases is not explicitly listed in the data; therefore all releases prior to an available fix are considered vulnerable.", "description_and_impact": "CairoSVG contains a defect that allows an attacker to trigger exponential CPU exhaustion by including a recursively referenced <use> element in a crafted SVG file. This flaw is an instance of uncontrolled recursion (CWE-674) combined with resource management weaknesses (CWE-776). When the recursion is processed, the engine repeatedly expands the referenced element, rapidly consuming processing time and memory, which can lead to a denial\u2011of\u2011service condition for a server or application that renders the SVG.", "risk_and_exploitability": "The CVSS score of 7.5 reflects a high severity, yet the EPSS score of less than 1% indicates a low probability of widespread exploitation at present. The flaw is not cataloged in CISA's KEV list. Exploitation requires delivery of a specially crafted SVG file that contains the recursive <use> amplification; the attack can be performed remotely if the application processes untrusted SVG input. When triggered, it results in high CPU usage and potential application or service downtime."}}}}, "created": "2026-03-16T09:24:11.980836+00:00", "updated": "2026-03-23T13:40:09.656688+00:00", "vendors": ["kozea", "kozea$PRODUCT$cairosvg"]}