CVE-2023-50251

CVE-2023-50251 is a medium-severity security vulnerability in phenx/php-svg-lib (composer), affecting versions < 0.5.1. It is fixed in 0.5.1.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

Denial of service caused by infinite recursion when parsing SVG document

When parsing the attributes passed to a use tag inside an svg document, we can cause the system to go to an infinite recursion. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself.

Details

Inside Svg\Tag\UseTag::before, php-svg-lib parses the attributes passed to an use tag inside an svg document. When it finds a href or xlink:href, it will try to retrieve the object representing this tag:

$link = $attributes["href"] ?? $attributes["xlink:href"];
$this->reference = $document->getDef($link);

if ($this->reference) {
    $this->reference->before($attributes);
}

$document->getDef is implemented as follow:

public function getDef($id) {
    $id = ltrim($id, "#");

    return isset($this->defs[$id]) ? $this->defs[$id] : null;
}

Note: the $id in the above method is actually the link being used in use tag. This part is important, because this behaviour here actually leads to the vulnerability. It will be mentioned later on in this report.

If it finds the referenced object, it will try to call the before method on the referenced object (this is still inside Svg\Tag\UseTag::before) :

if ($this->reference) {
    $this->reference->before($attributes);
}

In order to cause an infinte loop, we need to be able to control the $id used in the $this->defs[$id] code above. This defs property (Svg\Document::defs) is being populated when Svg\Document::_tagStart is called. This is the handler being used when the php-svg-lib is parsing the svg structure:

// Svg\Document line 343
if ($tag) {
    if (isset($attributes["id"])) {
        $this->defs[$attributes["id"]] = $tag;
    }
    else {
        // ...
    }

    // ...
}

So if the use tag contains an id, then that use tag will be added to the $defs array with it's id as the key.

Now as noted before, when there is a link inside the use tag, the library uses that link as the id to actually find the object or tag that has been added to the Svg\Document::defs.

So if the id attribute is equal to the link attribute inside the use tag, then the referenced object (in this case it is the Use tag object) will be called recursively until the memory given to the script is exhausted.

PoC

This is an example svg file that can be used to demonstrate the vulnerability.

<svg width="200" height="200"
  xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
  <use id="selfref" xlink:href="#selfref" />
</svg>

Impact

When the lib parses the above payload, it will crash:

PHP Fatal error:  Allowed memory size of 536870912 bytes exhausted (tried to allocate 262144 bytes) in /xxx/dompdf/vendor/phenx/php-svg-lib/src/Svg/Tag/UseTag.php on line 37

An attacker sending multiple request to a system to render the above payload can potentially cause resource exhaustion to the point that the system is unable to handle incoming request.

CVE-2023-50251 has a CVSS score of 5.3 (Medium). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.5.1); upgrading removes the vulnerable code path.

Affected versions

phenx/php-svg-lib (< 0.5.1)

Security releases

phenx/php-svg-lib → 0.5.1 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

Upgrade phenx/php-svg-lib to 0.5.1 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2023-50251? CVE-2023-50251 is a medium-severity security vulnerability in phenx/php-svg-lib (composer), affecting versions < 0.5.1. It is fixed in 0.5.1.
  2. How severe is CVE-2023-50251? CVE-2023-50251 has a CVSS score of 5.3 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of phenx/php-svg-lib are affected by CVE-2023-50251? phenx/php-svg-lib (composer) versions < 0.5.1 is affected.
  4. Is there a fix for CVE-2023-50251? Yes. CVE-2023-50251 is fixed in 0.5.1. Upgrade to this version or later.
  5. Is CVE-2023-50251 exploitable, and should I be worried? Whether CVE-2023-50251 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2023-50251 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2023-50251? Upgrade phenx/php-svg-lib to 0.5.1 or later.

Other vulnerabilities in phenx/php-svg-lib

Stop the waste.
Protect your environment with Kodem.