CVE-2026-31899: CairoSVG vulnerable to Exponential DoS via recursive <use> element amplification

March 13, 2026

Kozea/CairoSVG has exponential denial of service via recursive <use> element amplification in cairosvg/defs.py (line ~335). This causes CPU exhaustion from a small input.

References

github.com/Kozea/CairoSVG
github.com/Kozea/CairoSVG/commit/6dde8685ed3f19837767bce7a13a5491e3d0e0bf
github.com/Kozea/CairoSVG/security/advisories/GHSA-f38f-5xpm-9r7c
github.com/advisories/GHSA-f38f-5xpm-9r7c
nvd.nist.gov/vuln/detail/CVE-2026-31899

Code Behaviors & Features

Detect and mitigate CVE-2026-31899 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →