Unrestricted SVG File Upload Vulnerability in Sulu PHP CMS
CVE-2025-47778

6.1MEDIUM

Key Information:

Vendor

Sulu

Status
Sulu
Vendor
CVE Published:
14 May 2025

What is CVE-2025-47778?

The Sulu CMS, an open-source content management system built on the Symfony framework, presents a vulnerability where an admin user can upload SVG files that may exploit the XML DOM library to load external data. This opens the door to insecure XML External Entity references, which could potentially lead to data leaks or other security breaches. The issue has been resolved in the latest versions, and users are encouraged to upgrade to versions 2.6.9, 2.5.25, or 3.0.0-alpha3 for enhanced security. For those unable to immediately upgrade, a manual patch is available for the SVG File Inspector script located at src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php.

Affected Version(s)

sulu >= 2.5.21, < 2.5.25 < 2.5.21, 2.5.25

sulu >= 2.6.5, < 2.6.9 < 2.6.5, 2.6.9

sulu >= 3.0.0-alpha1, < 3.0.0-alpha3 < 3.0.0-alpha1, 3.0.0-alpha3

References

https://github.com/sulu/sulu/security/advisories/GHSA-f6r...
x_refsource_CONFIRM
https://github.com/sulu/sulu/commit/02f52fca04eb9495b9b4a...
x_refsource_MISC
https://github.com/sulu/sulu/blob/2.6/src/Sulu/Bundle/Med...
x_refsource_MISC

CVSS V4

Score:
6.1
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.