GHSA-cj3w-g42v-wcj6
ibexa/fieldtype-richtext allows access to external entities in XML
Blast Radius
ibexa/fieldtype-richtextReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.
Description
Impact
This security advisory resolves a vulnerability in the RichText field type. By entering a maliciously crafted input into the RichText XML, an attacker could perform an attack using XML external entity (XXE) injection, which might be able to read files on the server. To exploit this vulnerability the attacker would need to already have edit permission to content with RichText fields, which typically means Editor role or higher. The fix removes unsafe elements from XML code, while preserving safe elements.
If you have a stored XXE attack in your content drafts, the fix prevents it from extracting data both during editing and preview. However, if such an attack has already been published and the result is stored in the content, it is unfortunately not possible to detect and remove it by automatic means.
Credits
This vulnerability was discovered and reported to Ibexa by Dennis Henke, Thorsten Niephaus, Marat Aytuganov, and Stephan Sekula of Compass Security Deutschland GmbH. We thank them for reporting it responsibly to us.
Patches
- See "Patched versions"
- https://github.com/ibexa/fieldtype-richtext/commit/823cba6b5ee2e81d7d74e622ce42c1451e8e1337
Workarounds
- Exploitation requires edit access to RichText content. If you can trust your editors, and you don't grant edit permission to any externals, you are not at risk in practice.
References
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐘Packagist | ibexa/fieldtype-richtext | ≥ 4.6.0-beta1&&< 4.6.19 | 4.6.19 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for ibexa/fieldtype-richtext. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update ibexa/fieldtype-richtext to 4.6.19 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-cj3w-g42v-wcj6 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-cj3w-g42v-wcj6 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-cj3w-g42v-wcj6. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-cj3w-g42v-wcj6 in your dependencies?
O3 detects GHSA-cj3w-g42v-wcj6 across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.