CVE-2025-47778 Information

May 15, 2025 cve

Description

Sulu is an open-source PHP content management system based on the Symfony framework. Starting in versions 2.5.21 2.6.5 and 3.0.0-alpha1 an admin user can upload SVG which may load external data via XML DOM library. This can be used for insecure XML External Entity References. The problem has been patched in versions 2.6.9 2.5.25 and 3.0.0-alpha3. As a workaround one may patch the effect file src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php manually.

Reference

https://github.com/sulu/sulu/blob/2.6/src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php https://github.com/sulu/sulu/commit/02f52fca04eb9495b9b4a0c5cc64cf23bc27f544 https://github.com/sulu/sulu/security/advisories/GHSA-f6rx-hf55-4255

Share on: