Problem/Motivation
There is a security issue in enshrined/svg-sanitize version 0.15. See GHSA-22wq-q86m-83fh / CVE-2025-55166: svg-sanitizer Bypasses Attribute Sanitization.
SVG Image Field composer.json requires ~0.15, which is flexible enough to allow individual site owners to update their own dependencies. However, as a best practice we should draw a new line in the sand so that existing installs can simply update the module and get a new version.
Note: vulnerabilities in dependencies do not require a security announcement (https://www.drupal.org/drupal-security-team/security-advisory-process-an...), this can be fixed in public.
Steps to reproduce
Proposed resolution
Bump the enshrined/svg-sanitize dependency in composer.json to ~0.22.
Remaining tasks
User interface changes
API changes
Data model changes
Issue fork svg_image_field-3551011
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments
Comment #2
jwilson3Comment #3
jwilson3Comment #4
jwilson3Comment #6
jwilson3The PHPStan failures caused the automatic merge train to fail. I reviewed the failures and confirmed they are unrelated to this issue and will be addressed in a separate follow-up issue that I will create. Will proceed to manually merge the MR.
Comment #9
vijaycs85@jwilson3 thanks for committing this. any chance we could get a new release with this fix so that we can update to latest with security issue, please?
Comment #10
jwilson3I'm waiting to get feedback to #3516563: Drupal\Component\Plugin\Exception\PluginException: The plugin (svg) did not specify an instance class., which is potentially a breaking change for some. See my last comment there please. If you're on Windows or case-insensitve filesystem, feedback much appreciated.
Comment #12
jennypanighetti commentedHow is this marked as closed/fixed but NOT included in a new release or even the dev version??
Additionally, MR#44 fails to apply as a patch against 3.x-dev.This error is preventing me from even installing any other modules because of the security warning in composer.Sorry, that's a different issue, but I'm still surprised this can be marked closed/fixed but not merged.
Comment #13
jwilson3This is merged t the 2.3.x branch, which is a "dev" branch and is available for installation via composer using:
I just downloaded the ZIP file of the 2.3.x branch to sanity check, and the dependency in composer.json **is** correct.
Therefore, this is fixed. I already explained above about why this isn't yet in an official release yet.
One final point here:
You don't need to update the Drupal module in order to update the dependency.
Since this is just another a composer dependency, like any other, you can easily run:
Then, once the svg_image_field module has had an official release, you can remove the explicit dependency from composer.json
Comment #14
jwilson3This is now released in version 2.3.5 of SVG Image Field. Please check release notes.
Comment #15
jwilson3Anyone following this issue may wish to follow (and give a 👍) on this upstream issue: https://github.com/darylldoyle/svg-sanitizer/issues/120