N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-47778

GHSA ID

GHSA-f6rx-hf55-4255

EPSS Score

0.2758%

CWE

CWE-611

Published

5/15/2025

Updated

5/15/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-47778

CVE-2025-47778: Sulu vulnerable to XXE in SVG File upload Inspector

Impact

A admin user can upload SVG which may load external data via XML DOM library, specially this can be used for eventually reference none secure XML External Entity References.

Patches

The problem has not been patched yet. Users should upgrade to patched versions once they become available. Currently affected versions are:

2.6.9
2.5.25
3.0.0-alpha3

Workarounds

Patch the effect file src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php in sulu with:

-$dom->loadXML($svg, \LIBXML_NOENT | \LIBXML_DTDLOAD);
+$dom->loadXML($data, LIBXML_NONET);

References

GitHub repository: https://github.com/sulu/sulu
Vulnerable code: https://github.com/sulu/sulu/blob/2.6/src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-47778

CVE-2025-47778:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-47778

GHSA ID

GHSA-f6rx-hf55-4255

EPSS Score

0.2758%

CWE

CWE-611

Published

5/15/2025

Updated

5/15/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
sulu/sulu	composer	>= 2.5.21, < 2.5.25	2.5.25
sulu/sulu	composer	>= 2.6.5, < 2.6.9	2.6.9
sulu/sulu	composer	>= 3.0.0-alpha1, < 3.0.0-alpha3	3.0.0-alpha3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description and the provided patch clearly indicate that the containsUnsafeContent function in SvgFileInspector.php was responsible for parsing SVG files in a way that was vulnerable to XXE. The patch directly modifies this function to disable external entity loading and substitution, which are the root cause of the XXE vulnerability. The commit message also confirms that the change is to fix an XXE issue.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-47778: Sulu vulnerable to XXE in SVG File upload Inspector

Impact

Patches

Workarounds

References

CVE-2025-47778:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

N/A

N/A

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-47778: Sulu vulnerable to XXE in SVG File upload Inspector

Impact

Patches

Workarounds

References

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI