org.webjars.npm:fabric 5.2.4-browser

Direct Vulnerabilities

Known vulnerabilities in the org.webjars.npm:fabric package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Improper Encoding or Escaping of Output org.webjars.npm:fabric is an Object model for HTML5 canvas, and SVG-to-canvas parser. Backed by jsdom and node-canvas. Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the `toSVG` and `getSvgStyles`/`getSvgSpanStyles` paths in the gradient, object, and text SVG export components. An attacker can inject malicious CSS or XML payloads by supplying crafted gradient stop colors, fill/stroke/style properties, or text decoration values that are serialized into inline SVG attributes and style declarations. This lets the attacker produce SVG output containing executable script or event-handler markup, putting users who open or embed the exported SVG at risk of script execution and content injection. How to fix Improper Encoding or Escaping of Output? A fix was pushed into the `master` branch but not yet published.	[0,)
M Cross-site Scripting (XSS) org.webjars.npm:fabric is an Object model for HTML5 canvas, and SVG-to-canvas parser. Backed by jsdom and node-canvas. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `loadFromJSON()` function, which is used in the `FabricObjectSVGExportMixin` class to deserialize unsanitized JSON and assign properties directly to objects. An attacker can inject malicious values into SVG attributes such as `id`, `xlink:href`, which are then exported via the `toSVG()` function. This allows scripts to be executed when the SVG is rendered in a browser. How to fix Cross-site Scripting (XSS)? A fix was pushed into the `master` branch but not yet published.	[0,)

Vulnerability

Vulnerable Version

Improper Encoding or Escaping of Output

org.webjars.npm:fabric is an Object model for HTML5 canvas, and SVG-to-canvas parser. Backed by jsdom and node-canvas.

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the toSVG and getSvgStyles/getSvgSpanStyles paths in the gradient, object, and text SVG export components. An attacker can inject malicious CSS or XML payloads by supplying crafted gradient stop colors, fill/stroke/style properties, or text decoration values that are serialized into inline SVG attributes and style declarations. This lets the attacker produce SVG output containing executable script or event-handler markup, putting users who open or embed the exported SVG at risk of script execution and content injection.

How to fix Improper Encoding or Escaping of Output?

A fix was pushed into the master branch but not yet published.

[0,)

Cross-site Scripting (XSS)

org.webjars.npm:fabric is an Object model for HTML5 canvas, and SVG-to-canvas parser. Backed by jsdom and node-canvas.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the loadFromJSON() function, which is used in the FabricObjectSVGExportMixin class to deserialize unsanitized JSON and assign properties directly to objects. An attacker can inject malicious values into SVG attributes such as id, xlink:href, which are then exported via the toSVG() function. This allows scripts to be executed when the SVG is rendered in a browser.

How to fix Cross-site Scripting (XSS)?

A fix was pushed into the master branch but not yet published.

[0,)

org.webjars.npm:fabric@5.2.4-browser

latest version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically