High Severity
Attachment: Embedded Javascript in SVG file
Description
Javascript inside SVG files can be used to smuggle malicious payloads or execute scripts.
References
- https://delivr.to/payloads?id=511ae995-5401-4c60-ae50-08a5b12b3f4b
- https://delivr.to/payloads?id=28178b12-766d-44d5-8654-d372a94ff961
- https://delivr.to/payloads?id=3dce858d-7be3-412e-85d9-84f3b9845275
- https://delivr.to/payloads?id=a0a38332-21b6-4394-b901-3697008e3440
- https://delivr.to/payloads?id=e30f12f2-de69-4e86-8b14-3c9b4e466bea
- https://delivr.to/payloads?id=9e1b64c8-748d-44f3-aaeb-3efbce9f84e3
- https://delivr.to/payloads?id=802a25c6-4a3d-468b-81d5-fc7313efd878
Sublime Security
Created Aug 17th, 2023 • Last updated Apr 17th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and any(attachments,
(
.file_extension in~ ("svg", "svgz")
and (
strings.ilike(file.parse_text(.,
encodings=[
"ascii",
"utf8",
"utf16-le"
]
).text,
"*onload*",
"*window.location.href*",
"*onerror*",
"*CDATA*",
"*<script*",
"*</script*",
"*atob*",
"*location.assign*",
"*decodeURIComponent*"
)
or regex.icontains(file.parse_text(.,
encodings=[
"ascii",
"utf8",
"utf16-le"
]
).text,
'<iframe[^\>]+src\s*=\s*\"data:[^\;]+;base64,'
)
or any(beta.scan_base64(file.parse_text(.).text,
encodings=["ascii", "utf8", "utf16-le"]
),
strings.ilike(.,
"*onload*",
"*window.location.href*",
"*onerror*",
"*CDATA*",
"*<script*",
"*</script*",
"*atob*",
"*location.assign*",
"*decodeURIComponent*"
)
)
)
)
or (
(
.file_extension in $file_extensions_common_archives
or .file_type == "gz"
or .content_type == "application/x-gzip"
)
and any(file.explode(.),
(
.file_extension in~ ("svg", "svgz")
or .flavors.mime == "image/svg+xml"
)
and any(.scan.strings.strings,
strings.ilike(.,
"*onload*",
"*window.location.href*",
"*onerror*",
"*CDATA*",
"*<script*",
"*</script*",
"*atob*",
"*location.assign*",
"*decodeURIComponent*"
)
)
)
)
)
Playground
Test against your own EMLs or sample data.