ghsa-22wq-q86m-83fh
Vulnerability from github
Published
2025-08-12 20:20
Modified
2025-08-12 20:20
Severity ?
Summary
svg-sanitizer Bypasses Attribute Sanitization
Details
Problem
The sanitization logic at https://github.com/darylldoyle/svg-sanitizer/blob/0.21.0/src/Sanitizer.php#L454-L481 only searches for lower-case attribute names (e.g. xlink:href instead of xlink:HrEf), which allows to by-pass the isHrefSafeValue check. As a result this allows cross-site scripting or linking to external domains.
Proof-of-concept
provided by azizk
```
```
Credits
The mentioned findings and proof-of-concept example were reported to the TYPO3 Security Team by the external security researcher azizk <medazizknani@gmail.com>.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "enshrined/svg-sanitize"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.22.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-55166"
],
"database_specific": {
"cwe_ids": [
"CWE-601",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-12T20:20:58Z",
"nvd_published_at": "2025-08-12T17:15:39Z",
"severity": "MODERATE"
},
"details": "#### Problem\n\nThe sanitization logic at https://github.com/darylldoyle/svg-sanitizer/blob/0.21.0/src/Sanitizer.php#L454-L481 only searches for lower-case attribute names (e.g. `xlink:href` instead of `xlink:HrEf`), which allows to by-pass the `isHrefSafeValue` check. As a result this allows cross-site scripting or linking to external domains.\n\n#### Proof-of-concept\n_provided by azizk_\n\n```\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\u003csvg xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" width=\"100\" height=\"100\"\u003e\n \u003ca xlink:hReF=\"javascript:alert(document.domain)\"\u003e\n \u003crect width=\"100\" height=\"50\" fill=\"red\"\u003e\u003c/rect\u003e\n \u003ctext x=\"50\" y=\"30\" text-anchor=\"middle\" fill=\"white\"\u003eClick me\u003c/text\u003e\n \u003c/a\u003e\n\u003c/svg\u003e\n```\n\n#### Credits\n\nThe mentioned findings and proof-of-concept example were reported to the TYPO3 Security Team by the external security researcher `azizk \u003cmedazizknani@gmail.com\u003e`.",
"id": "GHSA-22wq-q86m-83fh",
"modified": "2025-08-12T20:20:59Z",
"published": "2025-08-12T20:20:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/darylldoyle/svg-sanitizer/security/advisories/GHSA-22wq-q86m-83fh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55166"
},
{
"type": "WEB",
"url": "https://github.com/darylldoyle/svg-sanitizer/commit/0afa95ea74be155a7bcd6c6fb60c276c39984500"
},
{
"type": "WEB",
"url": "https://github.com/darylldoyle/svg-sanitizer/commit/5a0a1eaf0c6b0b540dc945fe30c93cf106b357c1"
},
{
"type": "PACKAGE",
"url": "https://github.com/darylldoyle/svg-sanitizer"
},
{
"type": "WEB",
"url": "https://github.com/darylldoyle/svg-sanitizer/blob/0.21.0/src/Sanitizer.php#L454-L481"
},
{
"type": "WEB",
"url": "https://github.com/darylldoyle/svg-sanitizer/releases/tag/0.22.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "svg-sanitizer Bypasses Attribute Sanitization"
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.