{"url":"http://public2.vulnerablecode.io/api/packages/928698?format=json","purl":"pkg:npm/fabric@2.0.0-rc.1","type":"npm","namespace":"","name":"fabric","version":"2.0.0-rc.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"7.2.0","latest_non_vulnerable_version":"7.2.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/20198?format=json","vulnerability_id":"VCID-gmqx-hp62-s7hc","summary":"Fabric.js Affected by Stored XSS via SVG Export\nfabric.js applies `escapeXml()` to text content during SVG export (`src/shapes/Text/TextSVGExportMixin.ts:186`) but fails to apply it to other user-controlled string values that are interpolated into SVG attribute markup. When attacker-controlled JSON is loaded via `loadFromJSON()` and later exported via `toSVG()`, the unescaped values break out of XML attributes and inject arbitrary SVG elements including event handlers.\n\n### Deserialization Path (no sanitization)\n\n`loadFromJSON()` (`src/canvas/StaticCanvas.ts:1229`) calls `enlivenObjects()` which calls `_fromObject()` (`src/shapes/Object/Object.ts:1902`). `_fromObject` passes all deserialized properties to the shape constructor via `new this(enlivedObjectOptions)`. The constructor ultimately calls `_setOptions()` (`src/CommonMethods.ts:9`) which iterates over every property and assigns it to the object via `this.set(prop, options[prop])`. There is no allowlist or sanitization - any property in the JSON, including `id`, is set verbatim on the fabric object.\n\n---\n\n### Finding 1: XSS via `id` Property Injection \n\nThe `id` property from deserialized JSON is interpolated directly into SVG attribute strings without escaping.\n\n**Vulnerable code (`src/shapes/Object/FabricObjectSVGExportMixin.ts`, line 89, `getSvgCommons()`):**\n```typescript\ngetSvgCommons(\n  this: FabricObjectSVGExportMixin & FabricObject & { id?: string },\n) {\n  return [\n    this.id ? `id=\"${this.id}\" ` : '',  // <-- unescaped, user-controlled\n    this.clipPath\n      ? `clip-path=\"url(#${...})\" `\n      : '',\n  ].join('');\n}\n```\n\nThis method is called in `_createBaseSVGMarkup()` (same file, line 178) which wraps every object's SVG output in a `<g>` element. Every fabric object type (Rect, Circle, Path, Text, Image, Group, etc.) inherits this mixin, so the `id` injection vector applies to all object types.\n\n**Contrast with text content, which IS escaped:**\n```typescript\n// src/shapes/Text/TextSVGExportMixin.ts:186\nreturn `<tspan ...>${escapeXml(char)}</tspan>`;\n```\n\nThe inconsistency shows that the intention was to prevent injection but was missed w attribute contexts.\n\n---\n\n### Finding 2: XSS via Image `src` / `xlink:href` Injection \n\nImage source URLs are interpolated raw into `xlink:href` in `_toSVG()`.\n\n**Vulnerable code (`src/shapes/Image.ts`, line 404, `_toSVG()`):**\n```typescript\nimageMarkup.push(\n  '\\t<image ',\n  'COMMON_PARTS',\n  `xlink:href=\"${this.getSvgSrc(true)}\" x=\"${x - this.cropX}\" y=\"${\n    y - this.cropY\n  }\" ...`  // <-- unescaped\n);\n```\n\n`getSvgSrc()` returns the image `src` property which is set from JSON during deserialization. An attacker can inject a `src` value that breaks out of the `xlink:href` attribute.\n\n---\n\n### Finding 3: XSS via Pattern `sourceToString()` \n\n**Vulnerable code (`src/Pattern/Pattern.ts`, line 181, `toSVG()`):**\n```typescript\n`<image x=\"0\" y=\"0\" ... xlink:href=\"${this.sourceToString()}\"></image>`\n// <-- unescaped, returns this.source.src for image sources\n```\n\nAdditionally, Pattern's constructor (`line 92–94`) runs `this.id = uid()` *before* `Object.assign(this, options)`, meaning a user-supplied `id` in the pattern JSON overwrites the auto-generated uid. The pattern `id` is then interpolated unescaped on line 180:\n```typescript\n`<pattern id=\"SVGID_${id}\" x=\"${patternOffsetX}\" ...>`\n```\n\n---\n\n### Finding 4: Gradient `id` Partial Injection (lower Severity)\n\n**Vulnerable code (`src/gradient/Gradient.ts`, line 212, `toSVG()`):**\n```typescript\n`id=\"SVGID_${this.id}\"`  // <-- unescaped\n```\n\nGradient's constructor (`line 125`) computes `id: id ? `${id}_${uid()}` : uid()`. If a user-supplied `id` is present in the gradient JSON, it is prepended to the auto-generated uid. The user-controlled portion is interpolated unescaped into the SVG. This is exploitable but the payload is constrained by the `_<uid>` suffix appended after it.\n\n---\n\n## Impact\n\nAny application that:\n1. Accepts user-supplied JSON (via `loadFromJSON()`, collaborative sharing, import features, CMS plugins), AND\n2. Renders the `toSVG()` output in a browser context (SVG preview, export download rendered in-page, email template, embed)\n\n...is vulnerable to stored XSS. An attacker can execute arbitrary JavaScript in the victim's browser session.\n\nReal-world attack scenarios:\n- Collaborative design tools (Canva-like apps) where users share canvas state as JSON\n- CMS or e-commerce platforms with fabric.js-based editors that store/render designs\n- Any export-to-SVG workflow where the SVG is later displayed in a browser\n\n---\n\n## Remediation\n\nUpdate to [fabric.js 7.2.0](https://github.com/fabricjs/fabric.js/releases/tag/v720) or newer version. \n\n---\n\n## Confirmed Affected Files\n\n| File | Issue | Method | Exploitable |\n|---|---|---|---|\n| `src/shapes/Object/FabricObjectSVGExportMixin.ts` | Unescaped `this.id` in attribute | `getSvgCommons()` | Yes - primary vector, all object types |\n| `src/shapes/Image.ts` | Unescaped `getSvgSrc()` in `xlink:href` | `_toSVG()` | Yes |\n| `src/Pattern/Pattern.ts` | Unescaped `sourceToString()` in `xlink:href`; unescaped `id` in attribute | `toSVG()` | Yes |\n| `src/gradient/Gradient.ts` | User-supplied `id` prefix interpolated unescaped | `toSVG()` | Yes (partial - uid suffix appended) |","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27013","reference_id":"","reference_type":"","scores":[{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.17707","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27013"},{"reference_url":"https://github.com/fabricjs/fabric.js","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/fabricjs/fabric.js"},{"reference_url":"https://github.com/fabricjs/fabric.js/commit/7e1a122defd8feefe4eb7eaf0c180d7b0aeb6fee","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-19T20:54:40Z/"}],"url":"https://github.com/fabricjs/fabric.js/commit/7e1a122defd8feefe4eb7eaf0c180d7b0aeb6fee"},{"reference_url":"https://github.com/fabricjs/fabric.js/releases/tag/v720","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-19T20:54:40Z/"}],"url":"https://github.com/fabricjs/fabric.js/releases/tag/v720"},{"reference_url":"https://github.com/fabricjs/fabric.js/security/advisories/GHSA-hfvx-25r5-qc3w","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-19T20:54:40Z/"}],"url":"https://github.com/fabricjs/fabric.js/security/advisories/GHSA-hfvx-25r5-qc3w"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27013","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27013"},{"reference_url":"https://github.com/advisories/GHSA-hfvx-25r5-qc3w","reference_id":"GHSA-hfvx-25r5-qc3w","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hfvx-25r5-qc3w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55686?format=json","purl":"pkg:npm/fabric@7.2.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/fabric@7.2.0"}],"aliases":["CVE-2026-27013","GHSA-hfvx-25r5-qc3w"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gmqx-hp62-s7hc"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/fabric@2.0.0-rc.1"}