CVE-2025-25977
Published: 10 March 2025
Summary
CVE-2025-25977 is a critical-severity Prototype Pollution (CWE-1321) vulnerability in Canvg Canvg. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely identification, reporting, and remediation of flaws like the prototype pollution vulnerability in canvg 4.0.2, directly preventing arbitrary code execution.
RA-5 mandates vulnerability scanning that identifies the presence of vulnerable canvg 4.0.2 in dependencies, enabling proactive mitigation.
SI-10 enforces validation of SVG inputs prior to processing by canvg, blocking malicious payloads that trigger the StyleElement constructor vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The RCE vulnerability in canvg (via malicious SVG input) directly enables remote exploitation of public-facing applications and client-side code execution in JS environments (browser/Node.js).
NVD Description
An issue in canvg v.4.0.2 allows an attacker to execute arbitrary code via the Constructor of the class StyleElement.
Deeper analysisAI
CVE-2025-25977 is a critical vulnerability in canvg version 4.0.2, a JavaScript library for rendering SVG images to HTML5 Canvas elements. The flaw, classified under CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes, or prototype pollution), resides in the constructor of the StyleElement class and enables attackers to execute arbitrary code. It received a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low complexity, and lack of prerequisites for exploitation.
Any remote attacker can exploit this vulnerability without authentication or user interaction by supplying a maliciously crafted SVG file to an application or web page that processes SVGs using the affected canvg library. Successful exploitation leads to arbitrary code execution within the victim's browser or Node.js environment, potentially resulting in complete compromise, including data theft, further malware deployment, or full system takeover depending on the context.
Mitigation details and further discussion are available in the GitHub issue tracker at https://github.com/canvg/canvg/issues/1749, where the vulnerability was reported. Security practitioners should audit dependencies for canvg 4.0.2 and consider upgrading to patched versions if available or implementing input validation for SVG processing.
Details
- CWE(s)