Description
According to the docs, svg-loader will strip all JS code before injecting the SVG file for security reasons but the input sanitization logic is not sufficient and can be trivially bypassed. This allows an attacker to craft a malicious SVG which can result in XSS.
Recommendation
Update the external-svg-loader package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.6.9
- Patched version(s): 1.6.9
References
Related Issues
- Regular Expression Denial of Service (ReDoS) in lodash - CVE-2020-28500
- Payload's SQLite adapter Session Fixation vulnerability - CVE-2025-4644
- Elliptic's verify function omits uniqueness validation - CVE-2024-48949
- secp256k1-node allows private key extraction over ECDH - CVE-2024-48930
- Tags:
- npm
- external-svg-loader
Anything's wrong? Let us know Last updated on November 08, 2023