EasyAdminBundle, Path Traversal and Reflected XSS, GHSA-2wwr-9x6f-88gp (Medium) -DC-Jul2026-788

Listen to this Post

How GHSA-2wwr-9x6f-88gp Works

EasyAdminBundle provides two public Twig components: `` and <twig:ea:Icon name="...">. These components load SVG files from the server’s disk. The path to these files is built directly from a public property (countryCode or name) without any validation or sanitization. The loaded SVG content is then rendered in the page using Twig’s `|raw` filter, which outputs the content without escaping.
This design leads to two distinct vulnerabilities when an application allows end-users to influence these property values:
1. Arbitrary `.svg` File Disclosure (Path Traversal): The property value is concatenated directly into a filesystem path. Because path segments like `..` are not filtered or normalized, an attacker can use directory traversal sequences to read any file on the server that has a `.svg` extension. This could expose sensitive files like user-uploaded SVGs, configuration files, or any other `.svg` file accessible to the web server.
2. Reflected Cross-Site Scripting (XSS) in the Admin UI: This issue is specific to the `Flag` component. If the requested flag file does not exist, the component falls back to displaying a hard-coded SVG string. This fallback SVG string interpolates the user-controlled `countryCode` value twice and renders it with the `|raw` filter. An attacker can control the `countryCode` parameter to inject arbitrary HTML or JavaScript code. When an authenticated administrator visits the page, the malicious script executes within their admin session context.
It is crucial to note that the default usage within EasyAdminBundle is not vulnerable. The bundle itself only passes validated ISO country codes to the `Flag` component and pre-defined internal icon names to the `Icon` component. The vulnerability is only exploitable in third-party templates that directly pass user-controlled data into these component properties.

DailyCVE Form

Platform: EasyAdminBundle
Version: >=4.0.0, <4.29.10 & >=5.0.0, <5.0.10
Vulnerability: Path Traversal & Reflected XSS
Severity: Medium
date: 2026-05-27

Prediction: 2026-05-27 (Patched in v4.29.10 & v5.0.10)

What Undercode Say: Analytics

The core of this vulnerability lies in the insecure handling of user input within Twig components. The following analysis highlights the technical flaws.
– Insecure Direct Object Reference (IDOR) in Path Construction:
The `Flag` and `Icon` components construct file paths using unsanitized user input. This is a classic example of Insecure Direct Object Reference (IDOR) leading to path traversal.

// Vulnerable logic (conceptual)
$filePath = $this->getSvgPath() . '/' . $this->countryCode . '.svg';
$svgContent = file_get_contents($filePath);

– Unsafe Rendering with |raw:
The use of the `|raw` filter bypasses Twig’s automatic escaping, making the application susceptible to XSS if any user-controlled data is rendered.

{ Vulnerable template logic (conceptual) }
{{ svgContent|raw }}

– Exploitation Vectors:
– Path Traversal: An attacker can use `../` sequences in the `countryCode` or `name` parameter to traverse directories.

GET /admin?countryCode=../../../../etc/passwd.svg

– Reflected XSS: An attacker can inject a malicious payload into the `countryCode` parameter when the requested flag does not exist.

GET /admin?countryCode=<script>alert('XSS')</script>

How Exploit

An attacker can exploit these vulnerabilities under specific conditions:

1. Prerequisites:

  • The application uses EasyAdminBundle version `>=4.0.0, <4.29.10` or >=5.0.0, <5.0.10.
  • A third-party template uses the `` or `` component and passes user-controlled data to the `countryCode` or `name` property.

2. Exploitation Steps:

  • For Path Traversal: The attacker identifies a parameter that controls the `countryCode` or `name` property. They then inject a path traversal payload (e.g., ../../../../path/to/sensitive/file.svg) to read arbitrary `.svg` files from the server.
  • For Reflected XSS: The attacker crafts a URL where the `countryCode` parameter contains a malicious JavaScript payload (e.g., <script>alert('XSS')</script>). They then trick an authenticated admin user into clicking this link. The payload executes in the admin’s browser, potentially allowing session hijacking or other malicious actions.

Protection

To protect against this vulnerability, the following measures are recommended:
1. Upgrade EasyAdminBundle: The most effective protection is to upgrade to a patched version. The fix is included in EasyAdminBundle versions 4.29.10 and 5.0.10.
2. Validate and Sanitize User Input: If you are using the `Flag` or `Icon` components in a custom template, ensure that any user-supplied data passed to the `countryCode` or `name` properties is strictly validated against an allowlist of acceptable values.
3. Avoid Using `|raw` with User Input: In custom templates, avoid using the `|raw` filter on any content that includes user-controlled data. If it’s necessary, ensure the data is thoroughly sanitized first.

Impact

  • Information Disclosure (Path Traversal): An attacker can read any file on the server with a `.svg` extension. This could lead to the exposure of sensitive application data, configuration files, or proprietary assets.
  • Account Takeover (Reflected XSS): The reflected XSS vulnerability is more critical as it allows an attacker to execute arbitrary JavaScript in the context of an authenticated administrator’s session. This can lead to session hijacking, unauthorized actions performed on behalf of the admin, and other severe consequences.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top