svg-sanitizer is a popular PHP library used for cleaning and validating SVG files. It is commonly integrated in web platforms to ensure that uploaded SVGs don't contain malicious code. In early 2022, a major security flaw was discovered: CVE-2022-23638, allowing attackers to inject Cross-Site Scripting (XSS) payloads through SVG files, impacting all users relying on svg-sanitizer prior to version .15..
In this post, we’ll break down what happened, how this vulnerability works, and what you can do to stay safe.
What is CVE-2022-23638?
CVE-2022-23638 is a Cross-Site Scripting (XSS) vulnerability in the svg-sanitizer PHP library, affecting everything before v.15.. The bug allowed attackers to upload specially crafted SVG files that, when viewed in a browser, could execute unintended JavaScript, stealing user data, performing actions on behalf of users, or compromising sessions.
There is currently _no workaround_ except for upgrading your library version.
How Does the Vulnerability Work?
SVG files are XML-based images. They can include <script> tags, <foreignObject>, and other dangerous features. svg-sanitizer is supposed to strip dangerous content. However, before v.15., it missed certain ways attackers could smuggle XSS payloads—especially with unusual or mutated attributes and tag syntax.
Attackers could upload an SVG file like this
<svg xmlns="http://www.w3.org/200/svg">;
<script>alert('XSS')</script>
</svg>
Expected: The sanitizer should remove <script> tags.
Vulnerable versions: It sometimes didn’t, depending on the SVG's XML quirks.
Some payloads abuse less common SVG features, like event handlers
<svg xmlns="http://www.w3.org/200/svg">;
<circle onmouseover="alert('XSS!')" cx="50" cy="50" r="40" />
</svg>
This uses an onmouseover attribute to trigger JavaScript when the SVG is hovered.
Real-World Impact
If your website allows users to upload SVG files (for avatars, logos, etc.), an attacker could upload a file containing the above. When it is displayed to viewers—even admins—the embedded script could run in their browsers.
PHP Example
require 'vendor/autoload.php';
use enshrined\svgSanitize\Sanitizer;
// Assume $svg contains the user-uploaded SVG contents
$sanitizer = new Sanitizer();
$cleanedSvg = $sanitizer->sanitize($svg);
// Save or display $cleanedSvg assuming it's safe
file_put_contents('public/avatars/user.svg', $cleanedSvg);
Attackers upload this SVG
<svg xmlns="http://www.w3.org/200/svg">;
<foreignObject>
<body xmlns="http://www.w3.org/1999/xhtml">;
<script>alert(document.cookie)</script>
</body>
</foreignObject>
</svg>
On browsers that support <foreignObject>, the script will fire, revealing cookies or performing other malicious actions.
`bash
composer require enshrined/svg-sanitize:^.15.
`
- After updating, test your upload workflows to confirm the sanitizer strips all scripts and event attributes.
---
## References and Further Reading
- GitHub Security Advisory: GHSA-8wj4-3jjr-4935
- Public CVE entry: CVE-2022-23638
- svg-sanitizer Library on GitHub: darylldoyle/svg-sanitizer
- Release fixing the issue: Release v.15.
---
## What Should I Do Next?
1. Check your composer.json for svg-sanitizer.
2. Upgrade to .15. or newer.
3. Audit your SVG-uploaded content. If old SVGs were sanitized with vulnerable versions, re-sanitize or delete them.
---
## Conclusion
CVE-2022-23638 is a serious XSS vulnerability affecting projects that use the PHP svg-sanitizer library. Upgrading your dependencies is the only safe option. In today’s web, never trust uploads—even SVGs can be a vector for attack.
Stay safe and always keep your dependencies patched!
Timeline
Published on: 02/14/2022 21:15:00 UTC
Last modified on: 02/22/2022 21:06:00 UTC