Moderate severityNVD Advisory· Published Nov 7, 2021· Updated Apr 30, 2025

Apostrophe - XSS

CVE-2021-25978

Description

Apostrophe CMS versions between 2.63.0 to 3.3.1 are vulnerable to Stored XSS where an editor uploads an SVG file that contains malicious JavaScript onto the Images module, which triggers XSS once viewed.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
apostrophenpm	>= 2.63.0, < 3.4.0	3.4.0

Affected products

Apostrophecms/Apostrophev5
Range: unspecified

Patches

c8b94ee9c794

sanitize SVG uploads, including previous uploads

https://github.com/apostrophecms/apostropheThomas BoutellSep 7, 2021via ghsa

commit

4 files changed · +72 −1

CHANGELOG.md+6 −0 modified

@@ -1,5 +1,11 @@
 # Changelog
 
+## 3.3.2 - 2021-09-07
+
+### Security
+
+Users with permission to upload SVG files were previously able to do so even if they contained XSS attacks. In Apostrophe 3.x, the general public so far never has access to upload SVG files, so the risk is minor but could be used to phish access from an admin user uploading a file. While Apostrophe typically displays SVG files using the `img` tag, which ignores XSS vectors, an XSS attack could still be carried out if the image were opened directly via the Apostrophe media library's convenience link for doing so. Beginning in version 3.3.2 all SVG uploads are sanitized via DOMPurify to remove XSS attack vectors. In addition, all existing SVG attachments not already validated are passed through DOMPurify during a migration upon deployment of version 3.3.2. 
+
 ## 3.3.1 - 2021-09-01
 
 ### Fixes

modules/@apostrophecms/attachment/index.js+63 −1 modified

@@ -2,6 +2,8 @@ const _ = require('lodash');
 const path = require('path');
 const fs = require('fs');
 const Promise = require('bluebird');
+const createDOMPurify = require('dompurify');
+const { JSDOM } = require('jsdom');
 
 module.exports = {
   options: { alias: 'attachment' },
@@ -108,6 +110,7 @@ module.exports = {
     await self.db.createIndex({ docIds: 1 });
     await self.db.createIndex({ archivedDocIds: 1 });
     self.addLegacyMigrations();
+    self.addSvgSanitizationMigration();
   },
 
   tasks(self) {
@@ -402,6 +405,16 @@ module.exports = {
         }
         info.length = await self.apos.util.fileLength(file.path);
         info.md5 = await self.apos.util.md5File(file.path);
+        if (info.extension === 'svg') {
+          try {
+            await self.sanitizeSvg(file, info);
+          } catch (e) {
+            // Currently DOMPurify passes invalid SVG content without comment as long
+            // as it's not an SVG XSS attack vector, but make provision to report
+            // a relevant error if that changes
+            throw self.apos.error('invalid', req.t('apostrophe:fileInvalid'));
+          }
+        }
         if (self.isSized(extension)) {
           // For images we correct automatically for common file extension mistakes
           const result = await Promise.promisify(self.uploadfs.copyImageIn)(file.path, '/attachments/' + info._id + '-' + info.name, { sizes: self.imageSizes });
@@ -423,6 +436,20 @@ module.exports = {
         await self.db.insertOne(info);
         return info;
       },
+      // Given a path to a local svg file, sanitize any XSS attack vectors that
+      // may be present in the file. The caller is responsible for catching any
+      // exception thrown and treating that as an invalid file but there is no
+      // guarantee that invalid SVG files will be detected or cleaned up, only
+      // XSS attacks.
+      async sanitizeSvg(path) {
+        const readFile = require('util').promisify(fs.readFile);
+        const writeFile = require('util').promisify(fs.writeFile);
+        const window = new JSDOM('').window;
+        const DOMPurify = createDOMPurify(window);
+        const dirty = await readFile(path);
+        const clean = DOMPurify.sanitize(dirty);
+        return writeFile(path, clean);
+      },
       getFileGroup(extension) {
         return _.find(self.fileGroups, function (group) {
           const candidate = group.extensionMaps[extension] || extension;
@@ -707,7 +734,10 @@ module.exports = {
         const batchSize = 100;
         let lastId = '';
         while (true) {
-          const docs = await self.db.find({ _id: { $gt: lastId } }).limit(batchSize).sort({ _id: 1 }).toArray();
+          const docs = await self.db.find({
+            ...(criteria || {}),
+            _id: { $gt: lastId }
+          }).limit(batchSize).sort({ _id: 1 }).toArray();
           if (!docs.length) {
             return;
           }
@@ -1071,6 +1101,38 @@ module.exports = {
           return bulk.execute();
         }
       },
+      async addSvgSanitizationMigration() {
+        self.apos.migration.add('svg-sanitization', async () => {
+          return self.each({
+            extension: 'svg',
+            sanitized: {
+              $ne: true
+            },
+          }, 1, async attachment => {
+            const tempFile = self.uploadfs.getTempPath() + '/' + self.apos.util.generateId() + '.' + attachment.extension;
+            const copyIn = require('util').promisify(self.uploadfs.copyIn);
+            const copyOut = require('util').promisify(self.uploadfs.copyOut);
+            const uploadfsPath = self.url(attachment, { uploadfsPath: true });
+            try {
+              await copyOut(uploadfsPath, tempFile);
+              await self.sanitizeSvg(tempFile);
+              await copyIn(tempFile, uploadfsPath);
+              await self.db.update({
+                _id: attachment._id
+              }, {
+                $set: {
+                  sanitized: true
+                }
+              });
+            } catch (e) {
+              console.error(e);
+              // This condition shouldn't occur, but do warn the operator if it does
+              // (possibly on input that is not really an SVG file at all)
+              self.apos.util.error(`Warning: unable to sanitize SVG file ${uploadfsPath}`);
+            }
+          });
+        });
+      },
       ...require('./lib/legacy-migrations')(self)
     };
   },

modules/@apostrophecms/i18n/i18n/en.json+1 −0 modified

@@ -128,6 +128,7 @@
   "fileTag": "File Tag",
   "fileTags": "File Tags",
   "fileTypeNotAccepted": "File type was not accepted. Allowed extensions: {{ extensions }}",
+  "fileInvalid": "File was not accepted. It may be corrupted or its content may not match its file extension.",
   "files": "Files",
   "filter": "Filter",
   "filterByTag": "Filter by Tag",

package.json+2 −0 modified

@@ -57,6 +57,7 @@
     "dayjs": "^1.9.8",
     "debounce-async": "0.0.2",
     "deep-get-set": "^1.1.1",
+    "dompurify": "^2.3.1",
     "eslint-plugin-promise": "^5.1.0",
     "express": "^4.16.4",
     "express-bearer-token": "^2.4.0",
@@ -70,6 +71,7 @@
     "i18next-http-middleware": "^3.1.4",
     "import-fresh": "^3.3.0",
     "is-wsl": "^2.2.0",
+    "jsdom": "^17.0.0",
     "klona": "^2.0.4",
     "launder": "^1.4.0",
     "lodash": "^4.17.20",

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-4r9c-jghc-cx5mghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-25978ghsaADVISORY
github.com/apostrophecms/apostrophe/commit/c8b94ee9c79468f1ce28e31966cb0e0839165e59ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000