CVE-2025-55166
BaseFortify
Publication date: 2025-08-12
Last updated on: 2025-08-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| enshrined | svg-sanitize | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the svg-sanitizer PHP library prior to version 0.22.0. The sanitizer's method for cleaning SVG attributes only checked for lower-case attribute names like 'xlink:href'. However, it failed to detect mixed-case variations such as 'xlink:hReF'. This allowed attackers to bypass the sanitizer's safety checks and inject malicious content, enabling cross-site scripting (XSS) attacks or redirection to external domains when the SVG is rendered. [1]
How can this vulnerability impact me? :
If you use a vulnerable version of the svg-sanitizer library, attackers can exploit this flaw to inject malicious scripts or links into SVG content. This can lead to cross-site scripting (XSS) attacks, where malicious JavaScript executes in users' browsers, potentially stealing information or performing unauthorized actions. It can also enable redirection to external, possibly malicious domains, increasing phishing risks. The attack requires user interaction but no special privileges or conditions. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting SVG files or inputs processed by the svg-sanitizer library for mixed-case xlink:href attributes (e.g., xlink:hReF) that bypass sanitization. You can search for such attributes in SVG files using commands like: 1) grep -i 'xlink:href' *.svg 2) grep -P '(?i)xlink:hReF' *.svg to find mixed-case variants. Additionally, reviewing logs or inputs for SVG content containing JavaScript payloads in href attributes (e.g., javascript:alert(document.domain)) can help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the svg-sanitizer package to version 0.22.0 or later, where the vulnerability has been patched. This update includes case-insensitive attribute checks and enhanced sanitization logic to prevent bypass via mixed-case attribute names. If upgrading is not immediately possible, as a temporary measure, you can implement additional input validation to reject SVG files containing mixed-case xlink:href attributes or sanitize SVG inputs manually to remove suspicious attributes. [2]