Camaleon CMS - SVG File Upload Creates DoS for Media Upload Feature
Description
In Camaleon CMS, versions 2.0.1 to 2.6.0 are vulnerable to an Uncaught Exception. The app's media upload feature crashes permanently when an attacker with a low privileged access uploads a specially crafted .svg file
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Camaleon CMS 2.0.1-2.6.0 media upload crashes permanently due to an uncaught exception when uploading a malicious SVG file.
Vulnerability
In Camaleon CMS, versions 2.0.1 to 2.6.0, the media upload feature contains an uncaught exception vulnerability. When a low-privileged attacker uploads a specially crafted .svg file that lacks dimension metadata (e.g., width and height), the application attempts to parse it using MiniMagick and fails. The call to MiniMagick::Image.open raises an exception that is not caught, causing the upload feature to crash permanently [1][4].
Exploitation
An attacker with low-privileged access (e.g., an author or editor role) can exploit this vulnerability by uploading a malicious .svg file that is missing width and height attributes. The crafted SVG triggers the unhandled exception when the system tries to retrieve image dimensions, and the upload process crashes without recovery. No authentication bypass or additional network position is required beyond the existing low-privileged account [1][4].
Impact
Successful exploitation results in a permanent denial of service (DoS) of the media upload functionality for the entire application. The crash prevents any user from uploading media files until manual intervention or server restart. This disrupts content publishing workflows and degrades the availability of the CMS [1][4].
Mitigation
The fix was committed in commit ab89584 to the Camaleon CMS repository [4]. The change wraps the dimension retrieval in a rescue block, defaulting to "0x0" when the SVG is malformed, preventing the crash. Users should upgrade to a version containing this commit (e.g., 2.6.1 if released, or apply the patch manually). If an upgrade is not immediately possible, consider disabling SVG uploads or implementing a pre-upload validation to reject SVGs without dimension metadata as a temporary workaround [1][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
camaleon_cmsRubyGems | >= 2.0.1, < 2.6.0.1 | 2.6.0.1 |
Affected products
2- camaleon_cms/camaleon_cmsv5Range: 2.0.1
Patches
1ab89584ab32bFix error when uploading an SVG with no size
1 file changed · +1 −1
app/uploaders/camaleon_cms_local_uploader.rb+1 −1 modified@@ -52,7 +52,7 @@ def file_parse(key) if res['file_type'] == 'image' res["thumb"].sub! '.svg', '.jpg' im = MiniMagick::Image.open(file_path) - res['dimension'] = "#{im[:width]}x#{im[:height]}" + res['dimension'] = "#{im[:width]}x#{im[:height]}" rescue "0x0" # Malformed SVGs raise an exception here. end res end
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-r2w2-h6r8-3r53ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-25971ghsaADVISORY
- github.com/owen2345/camaleon-cms/commit/ab89584ab32b98a0af3d711e3f508a1d048147d2ghsax_refsource_MISCWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2021-25971.ymlghsaWEB
- www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25971ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.