GHSA-46FP-8F5P-PF2M: GHSA-46fp-8f5p-pf2m: XSS Filter Bypass via Improper HTML Entity Decoding in Loofah allowed_uri?

GHSA-46fp-8f5p-pf2m: XSS Filter Bypass via Improper HTML Entity Decoding in Loofah allowed_uri?

Vulnerability ID: GHSA-46FP-8F5P-PF2M
CVSS Score: 5.3
Published: 2026-03-18

The Loofah Ruby gem version 2.25.0 contains an improper URI valida…


This content originally appeared on DEV Community and was authored by CVE Reports

GHSA-46fp-8f5p-pf2m: XSS Filter Bypass via Improper HTML Entity Decoding in Loofah allowed_uri?

Vulnerability ID: GHSA-46FP-8F5P-PF2M
CVSS Score: 5.3
Published: 2026-03-18

The Loofah Ruby gem version 2.25.0 contains an improper URI validation vulnerability in the Loofah::HTML5::Scrub.allowed_uri? helper method. An attacker can bypass protocol validation by using HTML-encoded control characters, leading to Cross-Site Scripting (XSS) when the validated URI is rendered in a browser.

TL;DR

Direct use of Loofah's allowed_uri? method fails to properly sanitize HTML-encoded control characters in URIs. Attackers can exploit this by passing payloads like java
script:alert(1), bypassing validation and achieving XSS when browsers render and decode the string. Default Loofah.sanitize() calls are not affected.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Class: Improper URI Validation / Filter Bypass
  • CWE ID: CWE-79 / CWE-116
  • Attack Vector: Network (AV:N)
  • CVSS v4.0 Score: 5.3 (Medium)
  • Exploit Status: Unproven / Theoretical PoC Available
  • Affected Component: Loofah::HTML5::Scrub.allowed_uri?
  • CISA KEV Status: Not Listed

Affected Systems

  • Loofah RubyGem version 2.25.0
  • Loofah: 2.25.0 (Fixed in: 2.25.1)

Mitigation Strategies

  • Upgrade the loofah gem to version 2.25.1 or later.
  • Ensure all user-supplied URIs are validated using standard Loofah.sanitize() rather than standalone helper methods when possible.
  • Implement a robust Content Security Policy (CSP) restricting unsafe-inline script execution.
  • Deploy WAF rules to detect and block HTML-encoded control characters (e.g., 
, 
, 	) in URI-like parameters.

Remediation Steps:

  1. Update the Gemfile to require gem 'loofah', '>= 2.25.1'.
  2. Run bundle update loofah to fetch the patched version.
  3. Search the application codebase for occurrences of Loofah::HTML5::Scrub.allowed_uri?.
  4. Verify that inputs passed to this helper do not bypass standard Nokogiri decoding workflows.
  5. Run the application test suite to ensure the version upgrade does not introduce regressions.

References

Read the full report for GHSA-46FP-8F5P-PF2M on our website for more details including interactive diagrams and full exploit analysis.


This content originally appeared on DEV Community and was authored by CVE Reports


Print Share Comment Cite Upload Translate Updates
APA

CVE Reports | Sciencx (2026-03-18T18:40:06+00:00) GHSA-46FP-8F5P-PF2M: GHSA-46fp-8f5p-pf2m: XSS Filter Bypass via Improper HTML Entity Decoding in Loofah allowed_uri?. Retrieved from https://www.scien.cx/2026/03/18/ghsa-46fp-8f5p-pf2m-ghsa-46fp-8f5p-pf2m-xss-filter-bypass-via-improper-html-entity-decoding-in-loofah-allowed_uri/

MLA
" » GHSA-46FP-8F5P-PF2M: GHSA-46fp-8f5p-pf2m: XSS Filter Bypass via Improper HTML Entity Decoding in Loofah allowed_uri?." CVE Reports | Sciencx - Wednesday March 18, 2026, https://www.scien.cx/2026/03/18/ghsa-46fp-8f5p-pf2m-ghsa-46fp-8f5p-pf2m-xss-filter-bypass-via-improper-html-entity-decoding-in-loofah-allowed_uri/
HARVARD
CVE Reports | Sciencx Wednesday March 18, 2026 » GHSA-46FP-8F5P-PF2M: GHSA-46fp-8f5p-pf2m: XSS Filter Bypass via Improper HTML Entity Decoding in Loofah allowed_uri?., viewed ,<https://www.scien.cx/2026/03/18/ghsa-46fp-8f5p-pf2m-ghsa-46fp-8f5p-pf2m-xss-filter-bypass-via-improper-html-entity-decoding-in-loofah-allowed_uri/>
VANCOUVER
CVE Reports | Sciencx - » GHSA-46FP-8F5P-PF2M: GHSA-46fp-8f5p-pf2m: XSS Filter Bypass via Improper HTML Entity Decoding in Loofah allowed_uri?. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2026/03/18/ghsa-46fp-8f5p-pf2m-ghsa-46fp-8f5p-pf2m-xss-filter-bypass-via-improper-html-entity-decoding-in-loofah-allowed_uri/
CHICAGO
" » GHSA-46FP-8F5P-PF2M: GHSA-46fp-8f5p-pf2m: XSS Filter Bypass via Improper HTML Entity Decoding in Loofah allowed_uri?." CVE Reports | Sciencx - Accessed . https://www.scien.cx/2026/03/18/ghsa-46fp-8f5p-pf2m-ghsa-46fp-8f5p-pf2m-xss-filter-bypass-via-improper-html-entity-decoding-in-loofah-allowed_uri/
IEEE
" » GHSA-46FP-8F5P-PF2M: GHSA-46fp-8f5p-pf2m: XSS Filter Bypass via Improper HTML Entity Decoding in Loofah allowed_uri?." CVE Reports | Sciencx [Online]. Available: https://www.scien.cx/2026/03/18/ghsa-46fp-8f5p-pf2m-ghsa-46fp-8f5p-pf2m-xss-filter-bypass-via-improper-html-entity-decoding-in-loofah-allowed_uri/. [Accessed: ]
rf:citation
» GHSA-46FP-8F5P-PF2M: GHSA-46fp-8f5p-pf2m: XSS Filter Bypass via Improper HTML Entity Decoding in Loofah allowed_uri? | CVE Reports | Sciencx | https://www.scien.cx/2026/03/18/ghsa-46fp-8f5p-pf2m-ghsa-46fp-8f5p-pf2m-xss-filter-bypass-via-improper-html-entity-decoding-in-loofah-allowed_uri/ |

Please log in to upload a file.



There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.

Related Posts