Problem/Motivation

There is a security issue in enshrined/svg-sanitize version 0.15. See GHSA-22wq-q86m-83fh / CVE-2025-55166: svg-sanitizer Bypasses Attribute Sanitization.

SVG Image Field composer.json requires ~0.15, which is flexible enough to allow individual site owners to update their own dependencies. However, as a best practice we should draw a new line in the sand so that existing installs can simply update the module and get a new version.

Note: vulnerabilities in dependencies do not require a security announcement (https://www.drupal.org/drupal-security-team/security-advisory-process-an...), this can be fixed in public.

Steps to reproduce

Proposed resolution

Bump the enshrined/svg-sanitize dependency in composer.json to ~0.22.

Remaining tasks

User interface changes

API changes

Data model changes

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

Comments

jwilson3 created an issue. See original summary.

jwilson3’s picture

Issue summary: View changes
jwilson3’s picture

Issue summary: View changes
jwilson3’s picture

Title: Update enshrined/svg-sanitize dependency » Update enshrined/svg-sanitize dependency to 0.22

jwilson3’s picture

Status: Active » Fixed

The PHPStan failures caused the automatic merge train to fail. I reviewed the failures and confirmed they are unrelated to this issue and will be addressed in a separate follow-up issue that I will create. Will proceed to manually merge the MR.

Now that this issue is closed, please review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, please credit people who helped resolve this issue.

  • jwilson3 committed d0850075 on 2.3.x
    Issue #3551011 by jwilson3: Update enshrined/svg-sanitize dependency to...
vijaycs85’s picture

@jwilson3 thanks for committing this. any chance we could get a new release with this fix so that we can update to latest with security issue, please?

jwilson3’s picture

I'm waiting to get feedback to #3516563: Drupal\Component\Plugin\Exception\PluginException: The plugin (svg) did not specify an instance class., which is potentially a breaking change for some. See my last comment there please. If you're on Windows or case-insensitve filesystem, feedback much appreciated.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

jennypanighetti’s picture

How is this marked as closed/fixed but NOT included in a new release or even the dev version??

Additionally, MR#44 fails to apply as a patch against 3.x-dev.

This error is preventing me from even installing any other modules because of the security warning in composer.

Sorry, that's a different issue, but I'm still surprised this can be marked closed/fixed but not merged.

jwilson3’s picture

This is merged t the 2.3.x branch, which is a "dev" branch and is available for installation via composer using:

composer require 'drupal/svg_image_field:2.3.x-dev@dev'

I just downloaded the ZIP file of the 2.3.x branch to sanity check, and the dependency in composer.json **is** correct.

Therefore, this is fixed. I already explained above about why this isn't yet in an official release yet.

One final point here:

You don't need to update the Drupal module in order to update the dependency.

Since this is just another a composer dependency, like any other, you can easily run:

composer require enshrined/svg-sanitize:^0.22

Then, once the svg_image_field module has had an official release, you can remove the explicit dependency from composer.json

jwilson3’s picture

This is now released in version 2.3.5 of SVG Image Field. Please check release notes.

jwilson3’s picture

Anyone following this issue may wish to follow (and give a 👍) on this upstream issue: https://github.com/darylldoyle/svg-sanitizer/issues/120