Login Sign Up

CVE-2025-29790

5.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

This vulnerability allows attackers to upload malicious SVG files containing cross-site scripting (XSS) code to Contao CMS. When these files are processed in the back end or displayed in the front end, the malicious code executes in users' browsers. All Contao CMS users with SVG upload capabilities are affected.

💻 Affected Systems

Products:
  • Contao CMS
Versions: Versions before 4.13.54, 5.3.30, and 5.5.6
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires SVG upload functionality enabled, which is common in CMS configurations.

📦 What is this software?

Contao by Contao

View all CVEs affecting Contao →

Contao by Contao

View all CVEs affecting Contao →

Contao by Contao

View all CVEs affecting Contao →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of admin accounts leading to site defacement, data theft, or server takeover through chained attacks.

🟠

Likely Case

Session hijacking, credential theft, or unauthorized actions by authenticated users via stored XSS.

🟢

If Mitigated

Limited impact with proper input validation and output encoding, though SVG parsing remains risky.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires ability to upload SVG files, typically available to authenticated users.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.13.54, 5.3.30, or 5.5.6

Vendor Advisory: https://contao.org/en/security-advisories/cross-site-scripting-through-svg-uploads

Restart Required: No

Instructions:

1. Backup your Contao installation and database. 2. Update Contao to version 4.13.54, 5.3.30, or 5.5.6 using Composer: composer update contao/core-bundle. 3. Clear the cache: php vendor/bin/contao-console cache:clear. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable SVG Uploads

all

Temporarily disable SVG file uploads in Contao configuration to prevent exploitation.

Edit contao/config/config.yml and set allowed file extensions to exclude SVG.

Implement SVG Sanitization

all

Use a server-side SVG sanitizer to remove malicious content before processing.

Install and configure a library like SVG Sanitizer: composer require enshrined/svg-sanitize

🧯 If You Can't Patch

  • Implement strict Content Security Policy (CSP) headers to mitigate XSS impact.
  • Restrict SVG upload permissions to trusted administrators only.

🔍 How to Verify

Check if Vulnerable:

Check Contao version via admin panel or by examining composer.lock file for contao/core-bundle version.

Check Version:

php vendor/bin/contao-console contao:version

Verify Fix Applied:

Confirm version is 4.13.54, 5.3.30, or 5.5.6 or higher in admin interface or via composer show contao/core-bundle.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SVG file uploads, especially with script tags or JavaScript content in file metadata.

Network Indicators:

  • Requests for SVG files with parameters suggesting XSS payloads.

SIEM Query:

source="web_server" AND (uri_path="*.svg" OR user_agent CONTAINS "script")

📊 Metadata

CVE ID: CVE-2025-29790
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.14% exploit probability (33.4th percentile)
Published: March 18, 2025
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-29790, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)