CVE-2025-47778

Description

### Impact A admin user can upload SVG which may load external data via XML DOM library, specially this can be used for eventually reference none secure XML External Entity References. ### Patches The problem has not been patched yet. Users should upgrade to patched versions once they become available. Currently affected versions are: - 2.6.9 - 2.5.25 - 3.0.0-alpha3 ### Workarounds Patch the effect file `src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php` in sulu with: ```diff -$dom->loadXML($svg, \LIBXML_NOENT | \LIBXML_DTDLOAD); +$dom->loadXML($data, LIBXML_NONET); ``` ### References - GitHub repository: https://github.com/sulu/sulu - Vulnerable code: https://github.com/sulu/sulu/blob/2.6/src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php

How to fix CVE-2025-47778

To remediate CVE-2025-47778, upgrade the affected package to a fixed version below.

• —upgrade to 2.5.25 or later

Is CVE-2025-47778 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 2.5.21, < 2.5.25

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-47778
• PATCHgithub.com/sulu/sulu
• WEBgithub.com/sulu/sulu/blob/2.6/src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php
• WEBgithub.com/sulu/sulu/commit/02f52fca04eb9495b9b4a0c5cc64cf23bc27f544