CVE-2024-57722
Published: 23 January 2025
Description
Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS).
Security Summary
CVE-2024-57722 is an allocation-size-too-big vulnerability affecting lunasvg version 3.0.0, specifically in the plutovg_surface_create component. This flaw, mapped to CWE-770 (Allocation of Resources Without Limits or Throttling), was published on 2025-01-23 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its potential for denial-of-service impacts.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation can trigger excessive memory allocation, leading to application crashes and high availability disruption in software that incorporates the affected lunasvg library.
Advisories and related resources include a proof-of-concept exploit at https://github.com/keepinggg/poc/blob/main/poc_of_lunasvg_3.1.0 and a discussion in the project's GitHub issue tracker at https://github.com/sammycage/lunasvg/issues/209. Security practitioners should review these for details on affected versions, reproduction steps, and any vendor-recommended patches or workarounds.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Allocation-size-too-big vulnerability in lunasvg enables memory exhaustion via excessive allocation requests during SVG rendering, facilitating OS Exhaustion Flood (T1499.001) for endpoint denial of service.