CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
EPSS
Percentile
29.2%
According to the docs, svg-loader will strip all JS code before injecting the SVG file for security reasons but the input sanitization logic is not sufficient and can be trivially bypassed. This allows an attacker to craft a malicious SVG which can result in XSS.
When trying to sanitize the svg the lib removes event attributes such as onmouseover
, onclick
but the list of events is not exhaustive. Here’s a list of events not removed by svg-loader.
onafterscriptexecute, onbeforecopy, onbeforecut, onbeforescriptexecute, onbeforetoggle, onbegin, onbounce, onend, onfinish, onfocusin, onfocusout, onmousewheel, onpointerrawupdate, onrepeat, onsearch, onshow, onstart, ontoggle(popover), ontouchend, ontouchmove, ontouchstart
As you can see in the POC we can use onbegin
in animate
tag to execute JS code without needing to add data-js="enabled"
.
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<animate onbegin=alert(1) attributeName=x dur=1s>
</svg>
<html>
<head>
<script src="./dist/svg-loader.js" type="text/javascript"></script>
</head>
<body>
<svg data-src="data:image/svg+xml;base64,PHN2ZyB2ZXJzaW9uPSIxLjEiIGJhc2VQcm9maWxlPSJmdWxsIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgogIDxwb2x5Z29uIGlkPSJ0cmlhbmdsZSIgcG9pbnRzPSIwLDAgMCw1MCA1MCwwIiBmaWxsPSIjMDA5OTAwIiBzdHJva2U9IiMwMDQ0MDAiLz4KICA8YW5pbWF0ZSBvbmJlZ2luPWFsZXJ0KDEpIGF0dHJpYnV0ZU5hbWU9eCBkdXI9MXM+Cjwvc3ZnPgo="></svg>
</body>
</html>
Any website which uses external-svg-loader and allows its users to provide svg src, upload svg files would be susceptible to stored XSS attack.
github.com/shubhamjain/svg-loader
github.com/shubhamjain/svg-loader/blob/main/svg-loader.js#L125-L128
github.com/shubhamjain/svg-loader/commit/d3562fc08497aec5f33eb82017fa1417b3319e2c
github.com/shubhamjain/svg-loader/security/advisories/GHSA-xc2r-jf2x-gjr8
github.com/shubhamjain/svg-loader/tree/main#2-enable-javascript
nvd.nist.gov/vuln/detail/CVE-2023-40013