What is CVE-2025-47778?

### Impact A admin user can upload SVG which may load external data via XML DOM library, specially this can be used for eventually reference none secure XML External Entity References. ### Patches The problem has not been patched yet. Users should upgrade to patched versions once they become available. Currently affected versions are: - 2.6.9 - 2.5.25 - 3.0.0-alpha3 ### Workarounds Patch the effect file `src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php` in sulu with: ```diff -$dom->loadXML($svg, \LIBXML_NOENT | \LIBXML_DTDLOAD); +$dom->loadXML($data, LIBXML_NONET); ``` ### References - GitHub repository: https://github.com/sulu/sulu - Vulnerable code: https://github.com/sulu/sulu/blob/2.6/src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php

What is the severity of CVE-2025-47778?

CVE-2025-47778 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2025-47778?

No known public exploits are currently available for CVE-2025-47778.

Is there a patch available for CVE-2025-47778?

Yes, patches are available for CVE-2025-47778. Check the vendor advisories for update instructions.

CVE-2025-47778 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score0.0

None

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

0.0

CVSS

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Impact

A admin user can upload SVG which may load external data via XML DOM library, specially this can be used for eventually reference none secure XML External Entity References.

Patches

The problem has not been patched yet. Users should upgrade to patched versions once they become available. Currently affected versions are:

2.6.9
2.5.25
3.0.0-alpha3

Workarounds

Patch the effect file src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php in sulu with:

-$dom->loadXML($svg, \LIBXML_NOENT | \LIBXML_DTDLOAD);
+$dom->loadXML($data, LIBXML_NONET);

References

GitHub repository: https://github.com/sulu/sulu
Vulnerable code: https://github.com/sulu/sulu/blob/2.6/src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-

Patch References

Github.com

Trend Analysis

Neutral

Advisories

GitHub Advisory NVD

CVE-2025-47778 - CVE Details, Severity, and Analysis | Strobes VI