Fabric.js is a popular JavaScript HTML5 canvas library used for rendering and manipulating vector graphics on web pages. Prior to version 7.2.0, fabric.js implemented partial escaping of text content during SVG export using the escapeXml() function, but this escaping was not applied consistently to all user-controlled string values interpolated into SVG attribute markup. Specifically, when JSON data containing attacker-controlled strings is loaded into fabric.js via the loadFromJSON() method, these strings can be embedded into SVG attributes without proper sanitization. Later, when the toSVG() method is called to export the canvas as SVG, these unescaped strings can break out of XML attribute contexts and inject arbitrary SVG elements, including those with event handlers that execute JavaScript. This results in a stored cross-site scripting (XSS) vulnerability classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-116 (Improper Encoding or Escaping of Output). The vulnerability allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session, potentially stealing sensitive information, performing actions on behalf of the user, or disrupting application availability. Exploitation requires that the application accepts user-supplied JSON data and renders the SVG output in a browser context, such as in SVG previews, export downloads rendered inline, email templates, or embedded content. The vulnerability has a CVSS 3.1 base score of 7.6, indicating high severity due to network attack vector, no privileges required, low attack complexity, requirement for user interaction, and significant impact on confidentiality and availability. The issue was addressed in fabric.js version 7.2.0 by ensuring all user-controlled strings are properly escaped during SVG export. No public exploits have been reported to date, but the vulnerability poses a significant risk wherever vulnerable versions are used in web applications that handle untrusted JSON input.

The vulnerability enables attackers to execute arbitrary JavaScript in the browsers of users who view SVG content generated by vulnerable fabric.js instances. This can lead to theft of sensitive data such as session tokens, credentials, or personal information, unauthorized actions performed on behalf of the user, and potential disruption of service through malicious scripts. Organizations using fabric.js in collaborative applications, content management systems, email template editors, or any web service that imports user-generated JSON and renders SVG output are at risk of stored XSS attacks. The impact is particularly severe for applications with high user interaction or those embedded in trusted environments, as attackers can leverage the vulnerability to compromise user accounts and escalate attacks within the affected network. The vulnerability's network accessibility and lack of authentication requirements increase its risk profile, although user interaction is needed to trigger the malicious SVG rendering. The overall impact includes potential data breaches, reputational damage, and compliance violations for organizations worldwide.

To mitigate this vulnerability, organizations should upgrade fabric.js to version 7.2.0 or later, where the issue is fixed by proper escaping of all user-controlled strings during SVG export. Until the upgrade can be applied, developers should implement strict input validation and sanitization on all JSON data accepted via loadFromJSON(), rejecting or sanitizing any suspicious or unexpected content. Additionally, applications should avoid rendering untrusted SVG content inline in browsers or email clients without sanitization. Employ Content Security Policy (CSP) headers to restrict script execution and reduce the impact of potential XSS. Where feasible, disable or restrict features that allow importing or sharing of user-generated JSON data that is later converted to SVG. Regularly audit and monitor application logs for unusual SVG export activity or injection attempts. Educate developers about secure handling of SVG and JSON inputs to prevent similar vulnerabilities. Finally, conduct penetration testing focused on SVG and JSON input vectors to identify residual risks.