DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-2J22-PR5W-6GQ8: GHSA-2j22-pr5w-6gq8: Cross-Site Scripting Filter Bypass in Loofah allowed_uri?

#security #cve #cybersecurity #ghsa

GHSA-2j22-pr5w-6gq8: Cross-Site Scripting Filter Bypass in Loofah allowed_uri?

Vulnerability ID: GHSA-2J22-PR5W-6GQ8
CVSS Score: 6.5
Published: 2026-03-26

The Loofah Ruby library version 2.25.0 contains an improper URI validation vulnerability in the allowed_uri? method. Attackers can bypass Cross-Site Scripting (XSS) filters by injecting HTML entity-encoded control characters into URI schemes. This allows execution of arbitrary JavaScript when the maliciously crafted URI is rendered and interacted with in a web browser.

TL;DR

Loofah 2.25.0 fails to properly sanitize HTML entity-encoded control characters in URIs evaluated via allowed_uri?. This permits XSS attacks via crafted javascript: URIs. Upgrading to 2.25.1 resolves the issue.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • Attack Vector: Network
  • CVSS v4.0: 6.5
  • Exploit Status: Proof-of-Concept
  • Vulnerable Component: Loofah::HTML5::Scrub.allowed_uri?
  • Vulnerable Version: 2.25.0
  • Fixed Version: 2.25.1
  • Patch Commit: f4ebc9c5193dde759a57541062e490e86fc7c068

Affected Systems

  • RubyGems ecosystem
  • Applications directly calling Loofah::HTML5::Scrub.allowed_uri?
  • loofah: == 2.25.0 (Fixed in: 2.25.1)

Code Analysis

Commit: f4ebc9c

Fix control character stripping in allowed_uri?

@@ -1,7 +1,8 @@
 def allowed_uri?(uri_string)
   uri_string = CGI.unescapeHTML(uri_string.gsub(CONTROL_CHARACTERS, ""))
+    .gsub(CONTROL_CHARACTERS, "")
     .gsub(":", ":")
     .downcase
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Upgrade the loofah gem to version 2.25.1 or later.
  • Avoid direct invocations of Loofah::HTML5::Scrub.allowed_uri? on unparsed user input.
  • Rely on the default Loofah.sanitize() method where possible, as it benefits from Nokogiri's entity decoding before URI evaluation.

Remediation Steps:

  1. Execute bundle update loofah in the application environment.
  2. Verify the dependency update by checking the Gemfile.lock for loofah version 2.25.1.
  3. Scan the codebase for direct usage of allowed_uri? and validate that input strings are correctly sanitized before evaluation.

References

Read the full report for GHSA-2J22-PR5W-6GQ8 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)