Comment by pcthrowaway

6 days ago

Wait so are recursive XXE attacks like (I'm assuming) this one possible on Github READMEs? Or have they somehow mitigated them?

4 comments

pcthrowaway

Reply
nneonneo  6 days ago

It's recursive, but not XXE. It is 20 layers of nested SVG groups, where the first group contains 10 blue circles, and every subsequent group contains 10 of the previous group. This would render as around 10^20 blue circles.

  • pcthrowaway  5 days ago

    SVG is XML-based, unlike HTML which follows the SGML spec

    From curling the malicious page you can also see:

        <?xml version="1.0" encoding="UTF-8"?>
        <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="1000" height="1000">

    • nneonneo  5 days ago

      Yes, SVGs are XML-based and may be vulnerable to generic XML-based XML external entity (XXE) or exponential entity expansion attacks, but this particular malicious SVG is using SVG-specific features to create the resource exhaustion.

hashstring  6 days ago

I think external entities can be disabled completely right, but who knows, it may pay off to check out what GH did here :)