GHSA-3446-6mgw-f79p: Grav is Vulnerable to XXE via SVG Upload

Dear Grav Security Team,

A security vulnerability was discovered in Grav CMS that allows authenticated attackers to read arbitrary files from the server through XML External Entity (XXE) injection.

Vulnerability Summary

FieldDetails
Vulnerability TypeXML External Entity (XXE) Injection
SeverityHigh (CVSS 7.5)
Affected VersionsGrav CMS <= 1.7.x
Affected ComponentSVG file upload/processing
CWECWE-611: Improper Restriction of XML External Entity Reference
Authentication RequiredYes (Admin panel access)

Technical Details

Root Cause The application uses simplexml_load_string() to process uploaded SVG files without disabling external entity loading. This allows attackers to inject XXE payloads that are processed by the XML parser.

Vulnerable Code Pattern

// Current (Vulnerable):
$svg = simplexml_load_string($content);

// No LIBXML_NOENT flag or entity loader protection

Attack Vector

  1. Attacker authenticates to Grav admin panel
  2. Uploads malicious SVG file via Pages → Media or File Manager plugin
  3. Server parses SVG and processes XXE entities
  4. Arbitrary file contents are exfiltrated

Impact

An authenticated attacker can:

  1. Read sensitive files:
  • /etc/passwd - System user information
  • user/accounts/*.yaml - Admin credentials and 2FA secrets
  • user/config/system.yaml - System configuration
  • .env files - Environment secrets and API keys

  1. Perform SSRF - Access internal services via external entity URLs

  2. Potential DoS - Billion laughs attack via recursive entity expansion

Proof of Concept

Malicious SVG Payload

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<svg xmlns="http://www.w3.org/2000/svg" width="100" height="100">
<text x="10" y="50">&xxe;</text>
</svg>

Steps to Reproduce

  1. Login to Grav CMS admin panel
  2. Navigate to Pages → select any page → Media tab
  3. Upload the malicious SVG file
  4. Observe file contents in response/error or stored output

Recommended Fix

Option 1: Add XXE Protection Flags

libxml_use_internal_errors(true);
$svg = simplexml_load_string($content, 'SimpleXMLElement', LIBXML_NOENT | LIBXML_DTDLOAD);

Option 2: Use SVG Sanitizer Library (Recommended)

use enshrined\svgSanitize\Sanitizer;

$sanitizer = new Sanitizer();
$sanitizer->removeRemoteReferences(true);
$cleanSVG = $sanitizer->sanitize($content);

The enshrined/svg-sanitize library properly strips XXE payloads and other malicious SVG content.

Request

  1. Please acknowledge receipt of this report within 5 business days
  2. Please provide an estimated timeline for a security patch
  3. I am happy to assist with testing the fix
  4. I request a CVE be assigned for this vulnerability
  5. If you have a security advisory process, please include me in the credits

Turki Almatrafi.

References

Code Behaviors & Features

Detect and mitigate GHSA-3446-6mgw-f79p with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →