GHSA-cj3w-g42v-wcj6: ibexa/fieldtype-richtext allows access to external entities in XML
This security advisory resolves a vulnerability in the RichText field type. By entering a maliciously crafted input into the RichText XML, an attacker could perform an attack using XML external entity (XXE) injection, which might be able to read files on the server. To exploit this vulnerability the attacker would need to already have edit permission to content with RichText fields, which typically means Editor role or higher. The fix removes unsafe elements from XML code, while preserving safe elements.
If you have a stored XXE attack in your content drafts, the fix prevents it from extracting data both during editing and preview. However, if such an attack has already been published and the result is stored in the content, it is unfortunately not possible to detect and remove it by automatic means.
References
- developers.ibexa.co/security-advisories/ibexa-sa-2025-002-xxe-vulnerability-in-richtext
- github.com/advisories/GHSA-cj3w-g42v-wcj6
- github.com/ibexa/fieldtype-richtext
- github.com/ibexa/fieldtype-richtext/commit/823cba6b5ee2e81d7d74e622ce42c1451e8e1337
- github.com/ibexa/fieldtype-richtext/security/advisories/GHSA-cj3w-g42v-wcj6
Code Behaviors & Features
Detect and mitigate GHSA-cj3w-g42v-wcj6 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →