This is probably a common flaw in a lot of applications with a lot of complexity layered below the main product.<p>Electron applications are a prime example of this, since there is a whole webbrowser underneath and HTML doing HTML things is expected behavior for the browser, but not the application above. One can probably attribute the whole log4j debacle to the same fault, in that the "common" developer is unable to understand all complexity and quirks their software ships with (difference being, that a browser engine is far more complex than a logger)<p>I remember a time where "Scrach" wasn't a Electron application, but a native (I think?) Linux application. Obv. there can be bugs in dependencies too (rsvg, libpng, etc.) but they different and tend to not be as easily exploitable as these kind of Electron/HTML->V8 bugs are.
This is one of my favourite class of vulnerabilities.<p>Many applications and saas products that deal with images are susceptible to this vector because often image handling isn't a core business just a means to an end, so isn't always given the priority or deference it deserves.<p>The SVG format by spec is a swiss army knife that contains all kinds of opportunities for leveraging poor handling of the data it can contain.