CVE-2024-25117: 
PHP vulnerability analysis and mitigation

CVE-2024-25117 affects php-svg-lib, a scalable vector graphics (SVG) file parsing/rendering library. Prior to version 0.5.2, the library failed to validate font-family attributes for PHAR URLs and external references, potentially leading to Remote Code Execution (RCE) on PHP versions below 8.0 (GitHub Advisory, NVD).

The vulnerability stems from insufficient validation in the Style::fromAttributes() and Style::parseCssStyle() methods, which fail to check font-family contents for PHAR URLs. This oversight could allow dangerous fontName values to be passed to other libraries. The issue has a CVSS v3.1 base score of 9.8 (CRITICAL) according to NVD, while GitHub rates it as 6.8 (MEDIUM) (NVD).

Libraries using php-svg-lib as a dependency might be vulnerable to restriction bypasses or remote code execution if they do not properly validate the fontName value passed by php-svg-lib. The vulnerability particularly affects systems running PHP versions below 8.0 (GitHub Advisory).

The vulnerability has been fixed in version 0.5.2 of php-svg-lib. The fix implements proper validation of font-family attributes and external references. Users are advised to upgrade to this version or later (GitHub Advisory).