CVE-2023-50251: 
PHP vulnerability analysis and mitigation

php-svg-lib, an SVG file parsing and rendering library, was found to contain a vulnerability (CVE-2023-50251) prior to version 0.5.1. The vulnerability was discovered and disclosed on December 12, 2023, affecting all versions up to and excluding version 0.5.1. The issue lies in the parsing of attributes passed to a use tag inside an SVG document (GitHub Advisory).

The vulnerability stems from an infinite recursion issue when parsing attributes passed to a use tag inside an SVG document. When the library finds a href or xlink:href attribute, it attempts to retrieve the object representing this tag. If the id attribute equals the link attribute inside the use tag, the referenced object (Use tag object) will be called recursively. This vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) by NIST and 5.3 (MEDIUM) by GitHub, with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. The weakness is categorized as CWE-674 (Uncontrolled Recursion) (NVD, GitHub Advisory).

The exploitation of this vulnerability can lead to resource exhaustion, potentially causing the system to become unable to handle incoming requests. When triggered, the vulnerability can exhaust the memory available to the executing process and/or the server itself. An attacker sending multiple requests to render a malicious payload can cause denial of service conditions (GitHub Advisory).

The vulnerability has been patched in version 0.5.1 of php-svg-lib. Users are advised to upgrade to this version or later to address the security issue. The fix prevents circular references in use elements through the implementation of instance tracking (GitHub Patch).