VDB
KO
LOW

GHSA-c43v-4cr8-6mvp

Craft CMS has authenticated path traversal in `assets/icon`, allowing local `.svg` file read

Details

### Summary

An authenticated path traversal in `assets/icon` allows local SVG file read by passing traversal sequences in the `extension` parameter. The issue is caused by file existence checks happening before extension validation.

### Details The endpoint: - `src/controllers/AssetsController.php:1115-1123` - `actionIcon(string $extension)` calls `Assets::iconPath($extension)` and returns `sendFile($path, ...)`.

In `Assets::iconPath()`: - Path is built from user-controlled `extension`: - `src/helpers/Assets.php:906-909` - If `file_exists($path)` is true, path is returned immediately: - `src/helpers/Assets.php:910-912`

Validation exists in `Assets::iconSvg()`: - `preg_match('/^\w+$/', $extension)` - `src/helpers/Assets.php:927-931`

However, that validation is only reached if `iconPath()` does **not** find a file. So traversal payloads that resolve to existing `.svg` files bypass validation and are served by `sendFile()`.

### Impact

- Authenticated users can read local .svg files accessible to the application process.

### References

- https://github.com/craftcms/cms/commit/30f5f1a8d6edf0f3a00be72c42c78d9dc7d72d5c

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / craftcms/cms
Introduced in: 4.0.0-RC1 Fixed in: 4.17.7
Fix composer require craftcms/cms:^4.17.7
Packagist / craftcms/cms
Introduced in: 5.0.0-RC1 Fixed in: 5.9.13
Fix composer require craftcms/cms:^5.9.13

References