CVE-2025-55166

savg-sanitizer is a PHP SVG/XML sanitizer. Prior to version 0.22.0, the sanitization logic in the cleanXlinkHrefs method only searches for lower-case attribute name, which allows to by-pass the isHrefSafeValue check. As a result this allows cross-site scripting or linking to external domains. This issue has been patched in version 0.22.0.

CVSS

No CVSS.

References

Link	Resource
https://github.com/darylldoyle/svg-sanitizer/commit/5a0a1eaf0c6b0b540dc945fe30c93cf106b357c1
https://github.com/darylldoyle/svg-sanitizer/security/advisories/GHSA-22wq-q86m-83fh

Configurations

No configuration.

History

13 Aug 2025, 17:34

Type	Values Removed	Values Added
Summary		(es) savg-sanitizer es un depurador PHP SVG/XML. Antes de la versión 0.22.0, la lógica de depuración del método cleanXlinkHrefs solo buscaba nombres de atributo en minúsculas, lo que permitía omitir la comprobación de isHrefSafeValue. Esto permitía el uso de cross-site scripting o la vinculación a dominios externos. Este problema se ha corregido en la versión 0.22.0.

12 Aug 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-12 17:15

Updated : 2025-08-13 17:34

NVD link : CVE-2025-55166

Mitre link : CVE-2025-55166

CVE.ORG link : CVE-2025-55166

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

{"id": "CVE-2025-55166", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-12T17:15:39.667", "references": [{"url": "https://github.com/darylldoyle/svg-sanitizer/commit/5a0a1eaf0c6b0b540dc945fe30c93cf106b357c1", "source": "security-advisories@github.com"}, {"url": "https://github.com/darylldoyle/svg-sanitizer/security/advisories/GHSA-22wq-q86m-83fh", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-601"}]}], "descriptions": [{"lang": "en", "value": "savg-sanitizer is a PHP SVG/XML sanitizer. Prior to version 0.22.0, the sanitization logic in the cleanXlinkHrefs method only searches for lower-case attribute name, which allows to by-pass the isHrefSafeValue check. As a result this allows cross-site scripting or linking to external domains. This issue has been patched in version 0.22.0."}, {"lang": "es", "value": "savg-sanitizer es un depurador PHP SVG/XML. Antes de la versi\u00f3n 0.22.0, la l\u00f3gica de depuraci\u00f3n del m\u00e9todo cleanXlinkHrefs solo buscaba nombres de atributo en min\u00fasculas, lo que permit\u00eda omitir la comprobaci\u00f3n de isHrefSafeValue. Esto permit\u00eda el uso de cross-site scripting o la vinculaci\u00f3n a dominios externos. Este problema se ha corregido en la versi\u00f3n 0.22.0."}], "lastModified": "2025-08-13T17:34:12.350", "sourceIdentifier": "security-advisories@github.com"}