← back
CVE-2025-47778

Sulu vulnerable to XXE in SVG File upload Inspector

CVSS 6.1 MEDIUMEPSS 0.4%CWE-611
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.1EPSS 0.4%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
14 May 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Sulu is an open-source PHP content management system based on the Symfony framework. Starting in versions 2.5.21, 2.6.5, and 3.0.0-alpha1, an admin user can upload SVG which may load external data via XML DOM library. This can be used for insecure XML External Entity References. The problem has been patched in versions 2.6.9, 2.5.25, and 3.0.0-alpha3. As a workaround, one may patch the effect file `src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php` manually.
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
Affected products
sulu · sulu

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/sulu/sulu/blob/2.6/src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.phphttps://github.com/sulu/sulu/commit/02f52fca04eb9495b9b4a0c5cc64cf23bc27f544https://github.com/sulu/sulu/security/advisories/GHSA-f6rx-hf55-4255