GHSA-f6rx-hf55-4255
Suggest an improvement- Source
- https://github.com/advisories/GHSA-f6rx-hf55-4255
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-f6rx-hf55-4255/GHSA-f6rx-hf55-4255.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-f6rx-hf55-4255
- Aliases
- Published
- 2025-05-15T16:08:02Z
- Modified
- 2025-05-15T16:59:30.564364Z
- Severity
-
- 6.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator
- Summary
- Sulu vulnerable to XXE in SVG File upload Inspector
- Details
-
Impact
A admin user can upload SVG which may load external data via XML DOM library, specially this can be used for eventually reference none secure XML External Entity References.
Patches
The problem has not been patched yet. Users should upgrade to patched versions once they become available. Currently affected versions are:
- 2.6.9
- 2.5.25
- 3.0.0-alpha3
Workarounds
Patch the effect file
src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.phpin sulu with:-$dom->loadXML($svg, \LIBXML_NOENT | \LIBXML_DTDLOAD); +$dom->loadXML($data, LIBXML_NONET);References
- GitHub repository: https://github.com/sulu/sulu
- Vulnerable code: https://github.com/sulu/sulu/blob/2.6/src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php
- Database specific
{ "nvd_published_at": "2025-05-14T16:15:29Z", "cwe_ids": [ "CWE-611" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-05-15T16:08:02Z" }- References
-
- https://github.com/sulu/sulu/security/advisories/GHSA-f6rx-hf55-4255
- https://nvd.nist.gov/vuln/detail/CVE-2025-47778
- https://github.com/sulu/sulu/commit/02f52fca04eb9495b9b4a0c5cc64cf23bc27f544
- https://github.com/sulu/sulu
- https://github.com/sulu/sulu/blob/2.6/src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php