CVE-2020-25817
Description
SilverStripe through 4.6.0-rc1 has an XXE Vulnerability in CSSContentParser. A developer utility meant for parsing HTML within unit tests can be vulnerable to XML External Entity (XXE) attacks. When this developer utility is misused for purposes involving external or user submitted data in custom project code, it can lead to vulnerabilities such as XSS on HTML output rendered through this custom code. This is now mitigated by disabling external entities during parsing. (The correct CVE ID year is 2020 [CVE-2020-25817, not CVE-2021-25817]).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SilverStripe through 4.6.0-rc1 contains an XXE vulnerability in CSSContentParser, which can lead to XSS when misused with untrusted data.
Vulnerability
SilverStripe through version 4.6.0-rc1 contains an XML External Entity (XXE) vulnerability in the CSSContentParser class [1][2]. This developer utility was intended to parse HTML within unit tests, but when it is misused in custom project code that processes external or user-submitted data, the XML parser will expand external entities, leading to information disclosure or other attacks [2].
Exploitation
An attacker must be able to supply crafted XML or HTML input that is passed to the CSSContentParser by custom project code that misuses this utility [2]. No special network position is required beyond the ability to submit data to the vulnerable endpoint. The parser processes the input and, because external entities are not disabled by default, it will fetch the external resource referenced in the entity [2].
Impact
Successful exploitation can lead to XML External Entity (XXE) attacks, which may result in local file disclosure or server-side request forgery (SSRF) [2]. Additionally, when the parser output is rendered back as HTML, the attacker can inject malicious scripts, leading to cross-site scripting (XSS) in the context of the target application [2].
Mitigation
The vulnerability is mitigated in SilverStripe by disabling external entities during parsing [2]. The fix was implemented in the underlying framework; details on the specific patched version are expected in the SilverStripe release announcements [1]. Users should ensure they are running the latest patched release and avoid passing untrusted data to CSSContentParser in custom code.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
silverstripe/frameworkPackagist | >= 4.0.0, < 4.7.4 | 4.7.4 |
Affected products
3- SilverStripe/SilverStripedescription
- osv-coords2 versions
< 4.6.0+ 1 more
- (no CPE)range: < 4.6.0
- (no CPE)range: >= 4.0.0, < 4.7.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-3vjc-5x79-m9r8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-25817ghsaADVISORY
- forum.silverstripe.org/c/releasesghsax_refsource_MISCWEB
- www.silverstripe.org/blog/tag/releaseghsax_refsource_MISCWEB
- www.silverstripe.org/download/security-releasesghsaWEB
- www.silverstripe.org/download/security-releases/mitrex_refsource_CONFIRM
- www.silverstripe.org/download/security-releases/cve-2020-25817mitrex_refsource_MISC
- www.silverstripe.org/download/security-releases/cve-2021-25817ghsaWEB
News mentions
0No linked articles in our index yet.