Medium severityNVD Advisory· Published May 14, 2025· Updated Apr 15, 2026
CVE-2025-47778
CVE-2025-47778
Description
Sulu is an open-source PHP content management system based on the Symfony framework. Starting in versions 2.5.21, 2.6.5, and 3.0.0-alpha1, an admin user can upload SVG which may load external data via XML DOM library. This can be used for insecure XML External Entity References. The problem has been patched in versions 2.6.9, 2.5.25, and 3.0.0-alpha3. As a workaround, one may patch the effect file src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php manually.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sulu/suluPackagist | >= 2.5.21, < 2.5.25 | 2.5.25 |
sulu/suluPackagist | >= 2.6.5, < 2.6.9 | 2.6.9 |
sulu/suluPackagist | >= 3.0.0-alpha1, < 3.0.0-alpha3 | 3.0.0-alpha3 |
Patches
32 files changed · +34 −4
src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php+11 −4 modified@@ -55,10 +55,17 @@ public function inspect(UploadedFile $file): UploadedFile private function containsUnsafeContent(string $svg): bool { - \libxml_use_internal_errors(true); - $dom = new \DOMDocument(); - $dom->loadXML($svg, \LIBXML_NOENT | \LIBXML_DTDLOAD); - \libxml_clear_errors(); + $xmlErrorHandlerPreviousValue = \libxml_use_internal_errors(true); + + try { + $dom = new \DOMDocument(); + $dom->resolveExternals = false; + $dom->substituteEntities = false; + $dom->loadXML($svg, \LIBXML_NONET); + } finally { + \libxml_use_internal_errors($xmlErrorHandlerPreviousValue); + \libxml_clear_errors(); + } foreach (self::UNSAFE_ELEMENTS as $element) { if ($dom->getElementsByTagName($element)->length > 0) {
src/Sulu/Bundle/MediaBundle/Tests/Unit/FileInspector/SvgFileInspectorTest.php+23 −0 modified@@ -32,6 +32,29 @@ public static function provideSvgs(): \Generator yield 'svg with attributes' => ['<svg width="100" height="100" viewBox="0 0 100 100"></svg>', true]; yield 'svg with path' => ['<svg><path d="M10 10 H 90 V 90 H 10 L 10 10"/></svg>', true]; yield 'svg with style' => ['<svg><style>.cls-1{fill:none;}</style><circle class="cls-1" cx="50" cy="50" r="40"/></svg>', true]; + yield 'svg with adobe common svg entity export style' => ['<?xml version="1.0" encoding="utf-8"?> +<!-- Generator: Adobe Illustrator 25.2.1, SVG Export Plug-In . SVG Version: 6.00 Build 0) --> +<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd" [ + <!ENTITY ns_extend "http://ns.adobe.com/Extensibility/1.0/"> + <!ENTITY ns_ai "http://ns.adobe.com/AdobeIllustrator/10.0/"> + <!ENTITY ns_graphs "http://ns.adobe.com/Graphs/1.0/"> + <!ENTITY ns_vars "http://ns.adobe.com/Variables/1.0/"> + <!ENTITY ns_imrep "http://ns.adobe.com/ImageReplacement/1.0/"> + <!ENTITY ns_sfw "http://ns.adobe.com/SaveForWeb/1.0/"> + <!ENTITY ns_custom "http://ns.adobe.com/GenericCustomNamespace/1.0/"> + <!ENTITY ns_adobe_xpath "http://ns.adobe.com/XPath/1.0/"> +]> +<svg version="1.1" xmlns:x="&ns_extend;" xmlns:i="&ns_ai;" xmlns:graph="&ns_graphs;" + xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" + viewBox="0 0 89.5056686 94.5434723" style="enable-background:new 0 0 89.5056686 94.5434723;" xml:space="preserve"> +<style type="text/css"> + * { + shape-rendering: crispEdges; + } +</style> +<g id="Text"> +</g> +</svg>', true]; // Potentially unsafe SVGs yield 'svg with script tag' => ['<svg><script>alert("XSS")</script></svg>', false];
a108d2c24082https://github.com/sulu/suluvia osv
659f22100bf2https://github.com/sulu/suluvia osv
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-f6rx-hf55-4255ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-47778ghsaADVISORY
- github.com/sulu/sulu/blob/2.6/src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.phpnvdWEB
- github.com/sulu/sulu/commit/02f52fca04eb9495b9b4a0c5cc64cf23bc27f544nvdWEB
- github.com/sulu/sulu/security/advisories/GHSA-f6rx-hf55-4255nvdWEB
News mentions
0No linked articles in our index yet.