DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-46FP-8F5P-PF2M: GHSA-46fp-8f5p-pf2m: XSS Filter Bypass via Improper HTML Entity Decoding in Loofah allowed_uri?

#security #cve #cybersecurity #ghsa

GHSA-46fp-8f5p-pf2m: XSS Filter Bypass via Improper HTML Entity Decoding in Loofah allowed_uri?

Vulnerability ID: GHSA-46FP-8F5P-PF2M
CVSS Score: 5.3
Published: 2026-03-18

The Loofah Ruby gem version 2.25.0 contains an improper URI validation vulnerability in the Loofah::HTML5::Scrub.allowed_uri? helper method. An attacker can bypass protocol validation by using HTML-encoded control characters, leading to Cross-Site Scripting (XSS) when the validated URI is rendered in a browser.

TL;DR

Direct use of Loofah's allowed_uri? method fails to properly sanitize HTML-encoded control characters in URIs. Attackers can exploit this by passing payloads like java
script:alert(1), bypassing validation and achieving XSS when browsers render and decode the string. Default Loofah.sanitize() calls are not affected.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Class: Improper URI Validation / Filter Bypass
  • CWE ID: CWE-79 / CWE-116
  • Attack Vector: Network (AV:N)
  • CVSS v4.0 Score: 5.3 (Medium)
  • Exploit Status: Unproven / Theoretical PoC Available
  • Affected Component: Loofah::HTML5::Scrub.allowed_uri?
  • CISA KEV Status: Not Listed

Affected Systems

  • Loofah RubyGem version 2.25.0
  • Loofah: 2.25.0 (Fixed in: 2.25.1)

Mitigation Strategies

  • Upgrade the loofah gem to version 2.25.1 or later.
  • Ensure all user-supplied URIs are validated using standard Loofah.sanitize() rather than standalone helper methods when possible.
  • Implement a robust Content Security Policy (CSP) restricting unsafe-inline script execution.
  • Deploy WAF rules to detect and block HTML-encoded control characters (e.g., 
, 
, 	) in URI-like parameters.

Remediation Steps:

  1. Update the Gemfile to require gem 'loofah', '>= 2.25.1'.
  2. Run bundle update loofah to fetch the patched version.
  3. Search the application codebase for occurrences of Loofah::HTML5::Scrub.allowed_uri?.
  4. Verify that inputs passed to this helper do not bypass standard Nokogiri decoding workflows.
  5. Run the application test suite to ensure the version upgrade does not introduce regressions.

References

Read the full report for GHSA-46FP-8F5P-PF2M on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)