AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-f38f-5xpm-9r7c: CairoSVG vulnerable to Exponential DoS via recursive <use> element amplification

highvulnerability

security

Source: GitHub Advisory DatabaseMarch 13, 2026CVE-2026-31899

Summary

CairoSVG (an SVG image processing library) has a denial-of-service vulnerability where recursive `<use>` elements (SVG tags that reference other graphics elements) can be nested without limits, causing exponential CPU exhaustion. A tiny 1,411-byte SVG file with just 5 levels of nesting and 10 references each triggers 100,000 render calls, pinning CPU at 100% indefinitely.

Solution / Mitigation

Add recursion depth counter to the `use()` function in `cairosvg/defs.py` (line ~335) and cap it at approximately 10 levels. Additionally, implement a total element budget to prevent amplification attacks.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

March 13, 2026

Classification

Attack SophisticationModerate

Affected Packages

CairoSVG@<= 2.8.2 (fixed: 2.9.0)

Original source: https://github.com/advisories/GHSA-f38f-5xpm-9r7c

First tracked: March 13, 2026 at 04:00 PM

Classified by LLM (prompt v3) · confidence: 95%