CVE-2025-47778 | THREATINT

Description

Sulu is an open-source PHP content management system based on the Symfony framework. Starting in versions 2.5.21, 2.6.5, and 3.0.0-alpha1, an admin user can upload SVG which may load external data via XML DOM library. This can be used for insecure XML External Entity References. The problem has been patched in versions 2.6.9, 2.5.25, and 3.0.0-alpha3. As a workaround, one may patch the effect file `src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php` manually.

PUBLISHED Reserved 2025-05-09 | Published 2025-05-14 | Updated 2025-05-14 | Assigner GitHub_M

MEDIUM: 6.1CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

Problem types

CWE-611: Improper Restriction of XML External Entity Reference

Product status

>= 2.5.21, < 2.5.25

affected

>= 2.6.5, < 2.6.9

affected

>= 3.0.0-alpha1, < 3.0.0-alpha3

affected

References

github.com/sulu/sulu/security/advisories/GHSA-f6rx-hf55-4255

github.com/...ommit/02f52fca04eb9495b9b4a0c5cc64cf23bc27f544

github.com/...MediaBundle/FileInspector/SvgFileInspector.php

cve.org (CVE-2025-47778)

nvd.nist.gov (CVE-2025-47778)

Download JSON