Fabric.js allows rendering visual objects to an SVG string using the toSVG() method. In versions prior to 7.4.0 this library fails to escape the contents of the color field within the colorStops array of a fabric.Gradient object. The unescaped value is inserted directly into <stop> elements of the SVG. If an application renders this SVG string into the DOM without further sanitization, an attacker can inject arbitrary HTML or JavaScript, gaining the privileges of the page and potentially exfiltrating data or modifying page behavior. The flaw leads to a classic client‑side XSS issue, affecting confidentiality, integrity and potentially availability of the web application.

The vulnerability affects the Fabric.js library for JavaScript from the fabricjs project. All releases earlier than 7.4.0 are impacted. Versions 7.4.0 and newer contain the fix and are not susceptible.

The nominal CVSS score of 5.4 indicates moderate severity. The EPSS score is not available, so the likelihood of exploitation is unknown from statistical models, but the vulnerability is publicly documented and can be crafted by an attacker who has control over the data passed to toSVG(). The vulnerability is not listed in CISA's KEV catalog, suggesting no known exploitation in the wild at the time of analysis. The attack vector is most efficiently achieved by an attacker who can influence the objects sent to toSVG(), for example via user input or backend manipulation of the graphics data. If the output is embedded in a web page, the attacker can execute arbitrary JavaScript in the context of that page.