GHSA-46fp-8f5p-pf2m
Suggest an improvement- Source
- https://github.com/advisories/GHSA-46fp-8f5p-pf2m
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-46fp-8f5p-pf2m/GHSA-46fp-8f5p-pf2m.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-46fp-8f5p-pf2m
- Published
- 2026-03-18T17:26:48Z
- Modified
- 2026-03-18T17:32:09.772531Z
- Severity
-
- 2.7 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U CVSS Calculator
- Summary
- Improper detection of disallowed URIs by Loofah `allowed_uri?`
- Details
-
Summary
Loofah::HTML5::Scrub.allowed_uri?does not correctly rejectjavascript:URIs when the scheme is split by HTML entity-encoded control characters such as (carriage return), (line feed), or	(tab).Details
The
allowed_uri?method strips literal control characters before decoding HTML entities. Payloads likejava script:alert(1)survive the control character strip, then is decoded to a carriage return, producingjava\rscript:alert(1).Note that the Loofah sanitizer's default
sanitize()path is not affected because Nokogiri decodes HTML entities during parsing before Loofah evaluates the URI protocol. This issue only affects direct callers of theallowed_uri?string-level helper when passing HTML-encoded strings.Impact
Applications that call
Loofah::HTML5::Scrub.allowed_uri?to validate user-controlled URLs and then render approved URLs intohrefor other browser-interpreted URI attributes may be vulnerable to cross-site scripting (XSS).This only affects Loofah
2.25.0.Mitigation
Upgrade to Loofah >=
2.25.1.Credit
Responsibly reported by HackOne user
@smlee. - Database specific
{ "github_reviewed": true, "cwe_ids": [ "CWE-79" ], "github_reviewed_at": "2026-03-18T17:26:48Z", "nvd_published_at": null, "severity": "LOW" }- References
Affected packages
RubyGems / loofah
Package
- Name
- loofah
- Purl
- pkg:gem/loofah