Miggo Logo
Miggo Vulnerability Database
CVE-2025-61457

CVE-2025-61457: code16 Sharp vulnerable to Cross Site Scripting (XSS)

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-61457
GHSA ID
GHSA-9778-v769-qvjf
EPSS Score
-
CWE
CWE-79
Published
10/21/2025
Updated
10/21/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
code16/sharpcomposer< 9.7.09.7.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is a Cross-Site Scripting (XSS) issue in code16/sharp that occurs because uploaded SVG files are not sanitized. An attacker can upload an SVG file containing malicious JavaScript, which will be executed when the file is viewed in a browser.

The analysis of the patch commit bf7fedf2086d86aac16194733a6385564e5cf124 reveals the vulnerable code path and the fix.

The root cause is the lack of sanitization in the file upload process. The function Code16\Sharp\Http\Jobs\HandleUploadedFileJob::handle is directly responsible for processing the uploaded file. Before the patch, this function would save the file without any sanitization, making it the primary vulnerable function. The patch introduces a call to a new SanitizeSvgJob within this function to clean SVG files.

Another key function in the vulnerable process is Code16\Sharp\Form\Fields\Formatters\UploadFormatter::fromFront. This function is the entry point for handling a new file upload from the user interface. It queues the HandleUploadedFileJob for background processing. The patch modifies this function to pass a shouldSanitizeSvg flag, indicating that the sanitization logic was missing from this part of the workflow as well.

Therefore, both functions are identified as part of the vulnerability. HandleUploadedFileJob::handle is where the lack of sanitization occurs, and UploadFormatter::fromFront is the function that initiates the vulnerable process for a new upload.

Vulnerable functions

Code16\Sharp\Http\Jobs\HandleUploadedFileJob::handle
src/Http/Jobs/HandleUploadedFileJob.php
This function is responsible for processing uploaded files. Prior to the patch, it did not sanitize SVG files, which could lead to a Cross-Site Scripting (XSS) vulnerability if a malicious SVG file was uploaded. The patch adds a check to sanitize SVG files by dispatching a `SanitizeSvgJob`.
Code16\Sharp\Form\Fields\Formatters\UploadFormatter::fromFront
src/Form/Fields/Formatters/UploadFormatter.php
This function handles the file upload from the front-end and queues a job to process it. It was vulnerable because it did not ensure that SVG files were sanitized. The patch adds the `shouldSanitizeSvg` parameter to the queued job, which is then used by `HandleUploadedFileJob` to determine if sanitization is needed.

WAF Protection Rules

WAF Rule

*o**** S**rp v*.*.* is vuln*r**l* to *ross Sit* S*riptin* (XSS) sr*/*orm/*i*l*s/S**rp*ormUplo***i*l*.p*p.

Reasoning

T** vuln*r**ility is * *ross-Sit* S*riptin* (XSS) issu* in `*o****/s**rp` t**t o**urs ****us* uplo**** SV* *il*s *r* not s*nitiz**. *n *tt**k*r **n uplo** *n SV* *il* *ont*inin* m*li*ious J*v*S*ript, w*i** will ** *x**ut** w**n t** *il* is vi*w** in