CVE-2023-50252: 
Linux Debian vulnerability analysis and mitigation

CVE-2023-50252 affects php-svg-lib, an SVG file parsing and rendering library, prior to version 0.5.1. The vulnerability was discovered and disclosed on December 12, 2023. The issue occurs when handling a use tag that references an image tag, where the library merges attributes between these tags without proper sanitization (GitHub Advisory).

The vulnerability stems from improper attribute merging between use and image tags. When parsing a use tag, the library merges attributes from the referenced tag without properly sanitizing the href attribute. This process can bypass existing validation mechanisms, particularly in the case of image tags. The vulnerability has received a CVSS v3.1 base score of 9.8 (Critical) from NIST and 8.3 (High) from GitHub, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L (NVD).

The vulnerability can lead to unsafe file read operations that may result in PHAR Deserialization vulnerabilities in PHP versions prior to 8. In affected PHP versions, this could potentially lead to file deletion causing denial of service, and depending on the available classes in the system, could even result in Remote Code Execution (RCE) (GitHub Advisory).

The vulnerability has been patched in version 0.5.1 of php-svg-lib. For systems that cannot immediately update, it is recommended to implement input validation for SVG files, particularly focusing on the validation of href attributes in use and image tags. The patch prevents the merging of additional USE element attributes by adding 'href', 'xlink:href', and 'id' to the list of attributes that should not be merged (GitHub Patch).