CVE-2025-55166 in svg-sanitizer
Summary
by MITRE • 08/12/2025
savg-sanitizer is a PHP SVG/XML sanitizer. Prior to version 0.22.0, the sanitization logic in the cleanXlinkHrefs method only searches for lower-case attribute name, which allows to by-pass the isHrefSafeValue check. As a result this allows cross-site scripting or linking to external domains. This issue has been patched in version 0.22.0.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/21/2026
The savg-sanitizer library represents a critical security vulnerability that affects PHP applications processing SVG and XML content through its cleanXlinkHrefs method. This vulnerability specifically targets the sanitization logic that handles xlink:href attributes within XML documents, creating a pathway for malicious actors to bypass security controls. The flaw exists in versions prior to 0.22.0 where the sanitization process fails to properly validate attribute names, allowing attackers to exploit the case-sensitive nature of attribute matching to circumvent security checks. The vulnerability directly impacts web applications that rely on this library for processing user-generated SVG content, potentially exposing them to cross-site scripting attacks and unauthorized external domain linking.
The technical flaw stems from a case-sensitive attribute name comparison within the cleanXlinkHrefs method implementation. When processing XML documents containing xlink:href attributes, the sanitization logic only searches for lowercase attribute names, while malicious payloads may utilize uppercase or mixed-case attribute names such as Xlink:href or xlink:HREF. This discrepancy in attribute name matching allows attackers to inject malicious href values that bypass the isHrefSafeValue validation check, effectively rendering the security controls ineffective. The vulnerability operates at the parsing and validation layer of the sanitization process, where the system fails to normalize attribute names before performing security checks. This represents a classic input validation bypass issue that can be categorized under CWE-20: Improper Input Validation and CWE-79: Cross-Site Scripting, as it enables arbitrary code execution through malicious hyperlink injection.
The operational impact of this vulnerability extends beyond simple cross-site scripting to encompass broader security implications for web applications processing SVG content. Attackers can leverage this flaw to redirect users to malicious external domains, potentially leading to phishing attacks or the delivery of malicious payloads through compromised external resources. The vulnerability affects any application that uses the savg-sanitizer library for SVG processing, particularly those handling user-uploaded content or dynamic SVG generation. In environments where SVG content is processed and rendered in web browsers, this vulnerability creates opportunities for attackers to execute malicious scripts through crafted xlink:href attributes that bypass the intended security controls. The vulnerability can be exploited in various contexts including web applications, content management systems, and any platform that processes SVG files through the affected library version.
Mitigation strategies for this vulnerability require immediate upgrading to version 0.22.0 or later, which implements proper case-insensitive attribute name matching in the cleanXlinkHrefs method. Organizations should conduct comprehensive vulnerability assessments to identify all systems utilizing the affected library version and ensure proper patch management protocols are in place. Additionally, implementing additional security controls such as Content Security Policy headers, input validation at multiple layers, and regular security scanning of SVG processing components can provide defense-in-depth protection. The ATT&CK framework categorizes this vulnerability under T1203: Exploitation for Client Execution, as it enables attackers to execute malicious code through browser-based SVG processing. Security teams should also consider implementing automated monitoring for unauthorized external domain linking attempts and establish incident response procedures specifically addressing SVG-based attack vectors. Regular security testing and code review processes should include validation of attribute name handling and sanitization logic to prevent similar issues from emerging in future implementations.