GHSA-c43v-4cr8-6mvp: Craft CMS has authenticated path traversal in `assets/icon`, allowing local `.svg` file read
Summary
An authenticated path traversal in assets/icon allows local SVG file read by passing traversal sequences in the extension parameter. The issue is caused by file existence checks happening before extension validation.
Details
The endpoint:
- src/controllers/AssetsController.php:1115-1123
- actionIcon(string $extension) calls Assets::iconPath($extension) and returns sendFile($path, ...).
In Assets::iconPath():
- Path is built from user-controlled extension:
- src/helpers/Assets.php:906-909
- If file_exists($path) is true, path is returned immediately:
- src/helpers/Assets.php:910-912
Validation exists in Assets::iconSvg():
- preg_match('/^\w+$/', $extension)
- src/helpers/Assets.php:927-931
However, that validation is only reached if iconPath() does not find a file.
So traversal payloads that resolve to existing .svg files bypass validation and are served by sendFile().
Impact
- Authenticated users can read local .svg files accessible to the application process.
References
- https://github.com/craftcms/cms/commit/30f5f1a8d6edf0f3a00be72c42c78d9dc7d72d5c
Details
Original advisory: https://github.com/advisories/GHSA-c43v-4cr8-6mvp
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10