Cyber Resilience

CVE-2025-25977

CriticalPublic PoC

Published: 10 March 2025

Published
10 March 2025
Modified
25 March 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0031 54.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25977 is a critical-severity Prototype Pollution (CWE-1321) vulnerability in Canvg Canvg. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-25977 is a critical vulnerability in canvg version 4.0.2, a JavaScript library for rendering SVG images to HTML5 Canvas elements. The flaw, classified under CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes, or prototype pollution), resides in the constructor of the StyleElement class and enables attackers to execute arbitrary code. It received a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low complexity, and lack of prerequisites for exploitation.

Any remote attacker can exploit this vulnerability without authentication or user interaction by supplying a maliciously crafted SVG file to an application or web page that processes SVGs using the affected canvg library. Successful exploitation leads to arbitrary code execution within the victim's browser or Node.js environment, potentially resulting in complete compromise, including data theft, further malware deployment, or full system takeover depending on the context.

Mitigation details and further discussion are available in the GitHub issue tracker at https://github.com/canvg/canvg/issues/1749, where the vulnerability was reported. Security practitioners should audit dependencies for canvg 4.0.2 and consider upgrading to patched versions if available or implementing input validation for SVG processing.

EU & UK References

Vulnerability details

An issue in canvg v.4.0.2 allows an attacker to execute arbitrary code via the Constructor of the class StyleElement.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

The RCE vulnerability in canvg (via malicious SVG input) directly enables remote exploitation of public-facing applications and client-side code execution in JS environments (browser/Node.js).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24888Shared CWE-1321
CVE-2026-28794Shared CWE-1321
CVE-2026-35209Shared CWE-1321
CVE-2026-32878Shared CWE-1321
CVE-2026-34221Shared CWE-1321
CVE-2024-38988Shared CWE-1321
CVE-2026-33994Shared CWE-1321
CVE-2026-44483Shared CWE-1321
CVE-2026-29063Shared CWE-1321
CVE-2026-42232Shared CWE-1321

Affected Assets

canvg
canvg
≤ 3.0.11 · 4.0.0 — 4.0.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

SI-2 requires timely identification, reporting, and remediation of flaws like the prototype pollution vulnerability in canvg 4.0.2, directly preventing arbitrary code execution.

detect

RA-5 mandates vulnerability scanning that identifies the presence of vulnerable canvg 4.0.2 in dependencies, enabling proactive mitigation.

prevent

SI-10 enforces validation of SVG inputs prior to processing by canvg, blocking malicious payloads that trigger the StyleElement constructor vulnerability.

References