Cloud Vulnerability DB
A community-led vulnerabilities database
Wiz Agents & Workflows are here
Vulnerability DatabaseGHSA-2j22-pr5w-6gq8
GHSA-2j22-pr5w-6gq8:
Ruby vulnerability analysis and mitigation
Summary
Loofah::HTML5::Scrub.allowed_uri? does not correctly reject javascript: URIs when the scheme is split by HTML entity-encoded control characters such as (carriage return), (line feed), or 	 (tab).
Details
The allowed_uri? method strips literal control characters before decoding HTML entities. Payloads like java script:alert(1) survive the control character strip, then is decoded to a carriage return, producing java\rscript:alert(1).
Note that the Loofah sanitizer's default sanitize() path is not affected because Nokogiri decodes HTML entities during parsing before Loofah evaluates the URI protocol. This issue only affects direct callers of the allowed_uri? string-level helper when passing HTML-encoded strings.
Impact
Applications that call Loofah::HTML5::Scrub.allowed_uri? to validate user-controlled URLs and then render approved URLs into href or other browser-interpreted URI attributes may be vulnerable to cross-site scripting (XSS).
This only affects Loofah 2.25.0.
Mitigation
Upgrade to Loofah >= 2.25.1.
Credit
Responsibly reported by HackOne user @smlee.
Source: NVD
Related Ruby vulnerabilities:
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management