Kevin Froman's blog

Blog on security, programming, & other musings

Zeronet: Death By Svg


An often overlooked feature of SVGs is their ability to have embedded scripts, like HTML pages.

When displayed in an <img> tag, SVGs are not permitted to execute scripts, however, when they are viewed directly, they are.

This occasionally leads to XSS vulnerabilities in web services.

Impact on ZeroNet

ZeroNet logo

ZeroNet allows Javascript to execute in websites hosted in it, but it protects the ZeroNet interface and user data by embedding the pages in a sandboxed iframe, this works well, except ZeroNet also allowed some file types to be downloaded directly, outside of iframes.

This meant that SVG files could be used to arbitrarily control a ZeroNet client, and do anything the user could normally do, such as post on ZeroMe, view and send ZeroMail messages, download and seed websites and files, and toggle Tor mode.

Fixing the issue

I contacted Tamas, who quickly responded and got the issue fixed a couple weeks later. The fix was published in release 0.5.7. I highly suggest all ZeroNet users update ASAP.


It is important to keep in mind what mime-types to trust, as more than just HTML can embed/execute code.

Written by anonymous