GHSA-xc2r-jf2x-gjr8
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xc2r-jf2x-gjr8
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-xc2r-jf2x-gjr8/GHSA-xc2r-jf2x-gjr8.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-xc2r-jf2x-gjr8
- Aliases
- Related
- Published
- 2023-08-14T21:32:27Z
- Modified
- 2023-11-08T04:13:16.232467Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- external-svg-loader Cross-site Scripting vulnerability
- Details
-
Summary
According to the docs, svg-loader will strip all JS code before injecting the SVG file for security reasons but the input sanitization logic is not sufficient and can be trivially bypassed. This allows an attacker to craft a malicious SVG which can result in XSS.
Details
When trying to sanitize the svg the lib removes event attributes such as
onmouseover,onclickbut the list of events is not exhaustive. Here's a list of events not removed by svg-loader.onafterscriptexecute, onbeforecopy, onbeforecut, onbeforescriptexecute, onbeforetoggle, onbegin, onbounce, onend, onfinish, onfocusin, onfocusout, onmousewheel, onpointerrawupdate, onrepeat, onsearch, onshow, onstart, ontoggle(popover), ontouchend, ontouchmove, ontouchstartAs you can see in the POC we can useonbegininanimatetag to execute JS code without needing to adddata-js="enabled".PoC
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <animate onbegin=alert(1) attributeName=x dur=1s> </svg><html> <head> <script src="./dist/svg-loader.js" type="text/javascript"></script> </head> <body> <svg data-src="data:image/svg+xml;base64,PHN2ZyB2ZXJzaW9uPSIxLjEiIGJhc2VQcm9maWxlPSJmdWxsIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgogIDxwb2x5Z29uIGlkPSJ0cmlhbmdsZSIgcG9pbnRzPSIwLDAgMCw1MCA1MCwwIiBmaWxsPSIjMDA5OTAwIiBzdHJva2U9IiMwMDQ0MDAiLz4KICA8YW5pbWF0ZSBvbmJlZ2luPWFsZXJ0KDEpIGF0dHJpYnV0ZU5hbWU9eCBkdXI9MXM+Cjwvc3ZnPgo="></svg> </body> </html>Impact
Any website which uses external-svg-loader and allows its users to provide svg src, upload svg files would be susceptible to stored XSS attack.
- Database specific
{ "nvd_published_at": "2023-08-14T21:15:13Z", "github_reviewed_at": "2023-08-14T21:32:27Z", "github_reviewed": true, "severity": "CRITICAL", "cwe_ids": [ "CWE-79" ] }- References
-
- https://github.com/shubhamjain/svg-loader/security/advisories/GHSA-xc2r-jf2x-gjr8
- https://nvd.nist.gov/vuln/detail/CVE-2023-40013
- https://github.com/shubhamjain/svg-loader/commit/d3562fc08497aec5f33eb82017fa1417b3319e2c
- https://github.com/shubhamjain/svg-loader
- https://github.com/shubhamjain/svg-loader/blob/main/svg-loader.js#L125-L128
- https://github.com/shubhamjain/svg-loader/tree/main#2-enable-javascript
Affected packages
npm / external-svg-loader
Package
- Name
- external-svg-loader
- View open source insights on deps.dev
- Purl
- pkg:npm/external-svg-loader