CVE-2025-67419
CVE-2025-67419
In short
EverShop's image API doesn't limit how large SVG files can be processed, allowing attackers to crash the server by sending huge image requests without needing to log in.
Technical detail
Unauthenticated attackers can exploit the GET /images endpoint in EverShop 2.1.0 and prior by submitting SVG files with unbounded use-element shadow trees or oversized pattern tiles, causing excessive memory and CPU consumption that denies service to legitimate users. The vulnerability stems from missing input validation on SVG dimensions and structural depth during file processing.
Summary generated and translated by AI from the official description.
A Denial of Service (DoS) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to exhaust the application server's resources via the "GET /images" API. The application fails to limit the height of the use-element shadow tree or the dimensions of pattern tiles during the processing of SVG files, resulting in unbounded resource consumption and system-wide denial of service.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products
n/a · n/aWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →