GHSA-C43V-4CR8-6MVP: Authenticated Path Traversal in Craft CMS Asset Icon Helper
Vulnerability ID: GHSA-C43V-4CR8-6MVP
CVSS Score: 6.5
Published: 2026-07-09
An authenticated path traversal and arbitrary local file read vulnerability exists in Craft CMS versions 4.x up to 4.17.6 within the assets/icon endpoint and Assets helper classes. By exploiting this vulnerability, an authenticated user can traverse directories and read arbitrary .svg files on the server's filesystem, or execute Stored Cross-Site Scripting (XSS) if they can upload a malicious SVG.
TL;DR
Authenticated path traversal in Craft CMS allows reading local SVG files and executing Stored XSS via malicious file paths.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-22
- Attack Vector: Network
- CVSS Score: 6.5 (Medium)
- EPSS Score: N/A (No CVE assigned)
- Impact: Local File Read & Stored Cross-Site Scripting (XSS)
- Exploit Status: Proof-of-Concept
- KEV Status: Not Listed
Affected Systems
- Craft CMS 4.x installations <= 4.17.6
-
Craft CMS: >= 4.0.0, <= 4.17.6 (Fixed in:
4.17.7)
Code Analysis
Commit: 30f5f1a
Enforce strict extension validation in Assets helper to block path traversal in icon path resolution
@@ -886,6 +886,10 @@ public static function downloadFile(BaseFsInterface $fs, string $uriPath, string
*/
public static function iconUrl(string $extension): string
{
+ if (!preg_match('/^\w+$/', $extension)) {
+ throw new InvalidArgumentException("$extension isn’t a valid file extension.");
+ }
+
return UrlHelper::actionUrl('assets/icon', [
'extension' => $extension,
]);
@@ -901,6 +905,10 @@ public static function iconUrl(string $extension): string
*/
public static function iconPath(string $extension): string
{
+ if (!preg_match('/^\w+$/', $extension)) {
+ throw new InvalidArgumentException("$extension isn’t a valid file extension.");
+ }
+
$path = sprintf('%s%s%s.svg', Craft::$app->getPath()->getAssetsIconsPath(), DIRECTORY_SEPARATOR, strtolower($extension));
Mitigation Strategies
- Upgrade Craft CMS to version 4.17.7 or later to implement server-side path validation.
- Configure Web Application Firewall rules to detect and drop requests containing directory traversal sequences in the query parameters.
- Deploy restrictive Content Security Policies to prevent execution of inline scripts within SVG files inside the browser context.
Remediation Steps:
- Identify active installations of Craft CMS utilizing the command 'composer show craftcms/cms'.
- Execute 'composer update craftcms/cms' to pull the patched version 4.17.7.
- Clear application caches using './craft clear-caches/all' to ensure updated helper logic is enforced immediately.
- Audit standard user upload directories for unauthorized or suspicious SVG files containing script blocks.
References
Read the full report for GHSA-C43V-4CR8-6MVP on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)