- Type: Advisory
- Component Type: TYPO3 CMS
- Subcomponent: SVG Sanitizer (based on enshrined/svg-sanitize)
- Release Date: August 14, 2025
- Impact: Link Injection, in some cases Cross-Site Scripting
- Affected Versions: 9.0.0-9.5.53, 10.0.0-10.4.52, 11.0.0-11.5.46, 12.0.0-12.4.35, 13.0.0-13.4.16
- Severity: Medium
- Suggested CVSS: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
- References: CVE-2025-55166
Problem Description
The enshrined/svg-sanitize library (versions before 0.22.0) did not properly sanitize resource references in mixed-case attributes (HrEf="..." or xlink:HrEf="...") in SVG content. This flaw could allow an attacker to inject links to external sites and execute JavaScript if no Content-Security-Policy (CSP) headers were in place. Only inline SVG content embedded directly in HTML was affected.
For more details, see the official advisory for the library.
Solution
Update to TYPO3 versions 9.5.54 ELTS, 10.4.53 ELTS, 11.5.47 ELTS, 12.4.36 LTS, 13.4.17 LTS that fix the problem described by including version 0.22.0 of the enshrined/svg-sanitize library.
Note: Due to the previous TYPO3 dependency constraint ("^0.20.0"), installing enshrined/svg-sanitize version 0.22.0 directly was not possible. The updated TYPO3 releases now require "~0.22", ensuring that the fixed library version and future updates are included automatically.
General Advice
Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.