Miggo Logo
Miggo Vulnerability Database
CVE-2025-62798

CVE-2025-62798: Sharp user-provided input can be evaluated in a SharpShowTextField with Vue template syntax

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-62798
GHSA ID
GHSA-9f58-4465-23c7
EPSS Score
-
CWE
CWE-79
Published
10/29/2025
Updated
10/29/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
code16/sharpcomposer< 9.11.19.11.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is a Cross-Site Scripting (XSS) issue in the code16/sharp package, specifically within the SharpShowTextField component. The root cause is the improper handling of user-provided input, which is rendered as a Vue template. Malicious input containing Vue's template syntax ({{ and }}) was evaluated by the Vue engine instead of being displayed as plain text.

The analysis of the patch commits reveals the core of the vulnerability. Before the fix, the resources/js/show/components/fields/text/TextRenderer.vue component would take content and directly create a dynamic Vue component from it. This behavior is what allowed the template injection.

The patch addresses this in two main ways:

  1. It refactors the dynamic template rendering logic into a reusable component, resources/js/components/TemplateRenderer.vue.
  2. It introduces a sanitization function, sanitizeForVue, within TemplateRenderer.vue. This function escapes the {{ and }} sequences, preventing Vue from interpreting them as expressions.

The TextRenderer.vue component is modified to use the new, secure TemplateRenderer.vue component, passing the potentially unsafe content to it for rendering. Therefore, the vulnerable functions are the setup scripts of both TextRenderer.vue (which originally contained the unsafe logic) and TemplateRenderer.vue (where the unsafe logic was centralized and then fixed). During exploitation, a profiler would show activity within the rendering and setup phases of these Vue components.

Vulnerable functions

setup
resources/js/components/TemplateRenderer.vue
The setup script within `TemplateRenderer.vue` is responsible for creating a dynamic Vue component from a string `template` prop. Before the patch, this template string was used directly, allowing embedded Vue expressions like `{{...}}` to be evaluated, leading to XSS. The patch introduces the `sanitizeForVue` function to escape these expressions before rendering.
setup
resources/js/show/components/fields/text/TextRenderer.vue
Prior to the patch, the `TextRenderer.vue` component contained the logic to dynamically create a Vue component from the `formattedContent` variable, which holds user-provided data. This logic, which was moved to `TemplateRenderer.vue` and patched, did not sanitize the input, making this component the entry point for the XSS vulnerability.

WAF Protection Rules

WAF Rule

* *ross-Sit* S*riptin* (XSS) vuln*r**ility w*s *is*ov*r** in *o****/s**rp w**n r*n**rin* *ont*nt usin* t** S**rpS*owT*xt*i*l* *ompon*nt. In *****t** v*rsions, *xpr*ssions wr*pp** in `{{` & `}}` w*r* *v*lu*t** *y Vu*. T*is *llow** *tt**k*rs to inj**t

Reasoning

T** vuln*r**ility is * *ross-Sit* S*riptin* (XSS) issu* in t** `*o****/s**rp` p**k***, sp**i*i**lly wit*in t** `S**rpS*owT*xt*i*l*` *ompon*nt. T** root **us* is t** improp*r **n*lin* o* us*r-provi*** input, w*i** is r*n**r** *s * Vu* t*mpl*t*. M*li*i