CVE-2021-23631 — Path Traversal in convert-svg packages

Description

This affects all versions of package convert-svg-core; all versions of package convert-svg-to-png; all versions of package convert-svg-to-jpeg. Using a specially crafted SVG file, an attacker could read arbitrary files from the file system and then show the file content as a converted PNG file.

How to fix CVE-2021-23631

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed
—no fix listed
—no fix listed

Is CVE-2021-23631 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, <= 0.5.0
from 0, <= 0.5.0
from 0, <= 0.5.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-23631
PATCHgithub.com/neocotic/convert-svg
WEBgist.github.com/legndery/a248350bb25b8502a03c2f407cedeb14
WEBsnyk.io/vuln/SNYK-JS-CONVERTSVGCORE-1582785
WEB