Description

SVG Loader is a javascript library that fetches SVGs using XMLHttpRequests and injects the SVG code in the tag's place. According to the docs, svg-loader will strip all JS code before injecting the SVG file for security reasons but the input sanitization logic is not sufficient and can be trivially bypassed. This allows an attacker to craft a malicious SVG which can result in Cross-site Scripting (XSS). When trying to sanitize the svg the lib removes event attributes such as `onmouseover`, `onclick` but the list of events is not exhaustive. Any website which uses external-svg-loader and allows its users to provide svg src, upload svg files would be susceptible to stored XSS attack. This issue has been addressed in commit `d3562fc08` which is included in releases from 1.6.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Remediation

References

https://github.com/shubhamjain/svg-loader/blob/main/svg-loader.js#L125-L128

https://github.com/shubhamjain/svg-loader/commit/d3562fc08497aec5f33eb82017fa1417b3319e2c

https://github.com/shubhamjain/svg-loader/security/advisories/GHSA-xc2r-jf2x-gjr8

https://github.com/shubhamjain/svg-loader/tree/main#2-enable-javascript

Related Vulnerabilities

CVE-2022-31142 Vulnerability in npm package @fastify/bearer-auth

CVE-2022-44621 Vulnerability in maven package org.apache.kylin:kylin-server-base

CVE-2023-28671 Vulnerability in maven package org.jenkinsci.plugins:octoperf

CVE-2023-45282 Vulnerability in npm package openmct

CVE-2017-14063 Vulnerability in maven package org.asynchttpclient:async-http-client

Severity

Medium

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Product Patch Vendor Advisory NVD-CWE-noinfo