CVE-2024-57722

HighPublic PoC

Published: 23 January 2025

Published

23 January 2025

Modified

15 April 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0037 58.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57722 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Sammycage Lunasvg. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique OS Exhaustion Flood (T1499.001); ranked in the top 41.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to OS Exhaustion Flood (T1499.001). AI-specific risk: MITRE ATLAS External Harms (AML.T0048). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the allocation-size-too-big flaw in lunasvg v3.0.0's plutovg_surface_create by applying vendor patches or upgrading the library.

SC-5 Denial-of-service Protection good match

preventdetect

Implements denial-of-service protections to limit or block excessive memory allocation attempts exploiting this remote, unauthenticated vulnerability.

SI-10 Information Input Validation good match

prevent

Validates inputs to the lunasvg library to reject crafted SVG data that triggers unbounded memory allocation in plutovg_surface_create.

MITRE ATT&CK Enterprise TechniquesAI

T1499.001 OS Exhaustion Flood Impact

Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS).

attack.mitre.org →

Why these techniques?

Allocation-size-too-big vulnerability in lunasvg enables memory exhaustion via excessive allocation requests during SVG rendering, facilitating OS Exhaustion Flood (T1499.001) for endpoint denial of service.

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

NVD Description

lunasvg v3.0.0 was discovered to contain a allocation-size-too-big bug via the component plutovg_surface_create.

Deeper analysisAI

CVE-2024-57722 is an allocation-size-too-big vulnerability affecting lunasvg version 3.0.0, specifically in the plutovg_surface_create component. This flaw, mapped to CWE-770 (Allocation of Resources Without Limits or Throttling), was published on 2025-01-23 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its potential for denial-of-service impacts.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation can trigger excessive memory allocation, leading to application crashes and high availability disruption in software that incorporates the affected lunasvg library.

Advisories and related resources include a proof-of-concept exploit at https://github.com/keepinggg/poc/blob/main/poc_of_lunasvg_3.1.0 and a discussion in the project's GitHub issue tracker at https://github.com/sammycage/lunasvg/issues/209. Security practitioners should review these for details on affected versions, reproduction steps, and any vendor-recommended patches or workarounds.