Is enshrined/svg-sanitize affected by CVE-2025-55166?

Packagist enshrined/svg-sanitize is affected in <0.22.0.

Is CVE-2025-55166 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.4%.

medium

CVE-2025-55166

Q: Is CVE-2025-55166 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.4%.

Packagist · enshrined/svg-sanitize

Summary

svg-sanitizer Bypasses Attribute Sanitization

Severity: medium
EPSS: 0.4% (p34)
Also known as: GHSA-22wq-q86m-83fh
Published: 2025-08-12

References

https://github.com/darylldoyle/svg-sanitizer/security/advisories/GHSA-22wq-q86m-83fh
https://nvd.nist.gov/vuln/detail/CVE-2025-55166
https://github.com/darylldoyle/svg-sanitizer/commit/0afa95ea74be155a7bcd6c6fb60c276c39984500

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.