GHSA-97jm-g33h-f46g
MEDIUMsilverstripe/framework ReadOnly transformation for formfields exploitable
Blast Radius
silverstripe/framework🐘silverstripe/framework🐘silverstripe/framework🐘silverstripe/frameworkReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.
Description
Form fields returning isReadonly() as true are vulnerable to reflected XSS injections. This includes ReadonlyField, LookupField, HTMLReadonlyField, as well as special purpose fields like TimeField_Readonly. Values submitted to through these form fields are not filtered out from the form session data, and might be shown to the user depending on the form behaviour. For example, form validation errors cause the form to re-render with previously submitted values by default.
SilverStripe forms automatically load values from request data (GET and POST), which enables malicious use of URLs if your form uses these fields and doesn't overwrite data on form construction.
Readonly and disabled form fields are already filtered out in Form->saveInto(), so maliciously submitted data on these fields doesn't make it into the database unless you are accessing form values directly in your saving logic.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐘Packagist | silverstripe/framework | all versions | 3.1.21 |
| 🐘Packagist | silverstripe/framework | ≥ 3.2.0&&< 3.2.6 | 3.2.6 |
| 🐘Packagist | silverstripe/framework | ≥ 3.3.0&&< 3.3.4 | 3.3.4 |
| 🐘Packagist | silverstripe/framework | ≥ 3.4.0&&< 3.4.2 | 3.4.2 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for silverstripe/framework. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update silverstripe/framework to 3.1.21 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-97jm-g33h-f46g is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-97jm-g33h-f46g is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-97jm-g33h-f46g. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-97jm-g33h-f46g in your dependencies?
O3 detects GHSA-97jm-g33h-f46g across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.