CVE-2022-24429: 
JavaScript vulnerability analysis and mitigation

The convert-svg-core package before version 0.6.3 contains an Arbitrary Code Injection vulnerability (CVE-2022-24429). The vulnerability was discovered and disclosed on June 3, 2022, affecting the package's SVG file handling functionality. The package is designed to support converting SVG files into other formats using headless Chromium (Snyk).

The vulnerability allows attackers to execute arbitrary code through specially crafted SVG files. While the package attempted to prevent script execution by removing the 'onload' attribute from SVG tags, this protection could be bypassed using other event attributes like 'onfocus' combined with 'autofocus' on SVG tags. The vulnerability received a CVSS v3.1 score of 7.5 (High), with attack vector being local, low attack complexity, no privileges required, and user interaction required (NVD).

When exploited, the vulnerability allows attackers to read arbitrary files from the file system and display the file content as a converted PNG file. This results in a total loss of confidentiality for affected systems, as sensitive information can be exposed through the file read capability (Snyk).

The vulnerability was patched in version 0.6.3 of convert-svg-core. The fix involves removing all disallowed SVG element attributes except for a set of allowed standard attributes before conversion. Users should upgrade to version 0.6.3 or higher to address this vulnerability (Github Commit).