Vulnerability in librsvg dependency, please upgrade to 0.32.4 (CVE-2023-38633)

[lovell]

Overview

sharp depends on librsvg for rendering SVG input.

A directory traversal vulnerability has been found in some versions of librsvg that could be used by an attacker to read file contents on a local filesystem. This has been assigned CVE-2023-38633.

• https://gitlab.gnome.org/GNOME/librsvg/-/issues/996
• https://nvd.nist.gov/vuln/detail/CVE-2023-38633

This vulnerability has not yet been assessed for a severity score, but my best guess right now is that this could be classified as a "medium".

Who does this affect?

This vulnerability affects code that uses sharp to process untrusted SVG input from the local filesystem when using a vulnerable version of librsvg.

Buffer and Stream-based SVG input is unaffected.

All other input formats are unaffected.

In summary: if you write untrusted SVG files to a local filesystem before processing them via sharp then you might be affected.

How to resolve this?

Using prebuilt binaries provided by sharp?

Most people rely on the prebuilt binaries provided by sharp. Please upgrade to the latest 0.32.4, which ships with a patched version of librsvg.

A possible workaround for sharp >= 0.31.0 and <= 0.32.3 is to set the VIPS_BLOCK_UNTRUSTED environment variable, which prevents the processing of all SVG input.

Using a globally-installed libvips?

Please upgrade to the latest patch version of librsvg or set the VIPS_BLOCK_UNTRUSTED environment variable.

Alternative workarounds

1. Low-level control over runtime image loader availability can be made via the sharp.block() function, for example:

sharp.block({ operation: ["VipsForeignLoadSvgFile"] })

2. Replace filesystem input with Buffer-based input:

- sharp("in.svg")...
+ sharp(await fs.readFile("in.svg"))...

[lovell]

There's a great article from Zac at Canva with more details of this vulnerability.

https://www.canva.dev/blog/engineering/when-url-parsers-disagree-cve-2023-38633/