CVE-2021-23631: 
JavaScript vulnerability analysis and mitigation

CVE-2021-23631 affects all versions of packages convert-svg-core, convert-svg-to-png, and convert-svg-to-jpeg. The vulnerability was discovered and disclosed on September 5, 2021, and published on January 20, 2022. This security issue allows attackers to read arbitrary files from the file system using specially crafted SVG files and display the file content as a converted PNG file (Snyk Advisory, CVE Mitre).

The vulnerability is classified as a Directory Traversal attack (CWE-22). Using specially crafted SVG files, attackers can manipulate file paths to access files stored outside the intended directory. The CVSS v3.1 base score is 7.5 (High), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The attack vector is network-based, requires low complexity, needs no privileges or user interaction, and has unchanged scope with high impact on confidentiality (Snyk Advisory).

The primary impact of this vulnerability is the potential unauthorized access to sensitive files on the system. An attacker can read arbitrary files from the file system and convert their content into PNG format, leading to potential exposure of sensitive information. The vulnerability affects confidentiality but has no direct impact on system integrity or availability (Snyk Advisory).

The recommended mitigation is to upgrade convert-svg-core to version 0.6.0 or higher. This applies to all affected packages including convert-svg-to-png and convert-svg-to-jpeg (Snyk Advisory).