Package Instance

Improper neutralization of data URIs may allow XSS in Loofah
## Summary

Loofah `>= 2.1.0, < 2.19.1` is vulnerable to cross-site scripting via the `image/svg+xml` media type in data URIs.


## Mitigation

Upgrade to Loofah `>= 2.19.1`.


## Severity

The Loofah maintainers have evaluated this as [Medium Severity 6.1](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).


## References

- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)
- [SVG MIME Type (image/svg+xml) is misleading to developers · Issue #266 · w3c/svgwg](https://github.com/w3c/svgwg/issues/266)
- https://hackerone.com/reports/1694173
- https://github.com/flavorjones/loofah/issues/101

## Credit

This vulnerability was responsibly reported by Maciej Piechota (@haqpl).

Uncontrolled Recursion in Loofah
## Summary

Loofah `>= 2.2.0, < 2.19.1` uses recursion for sanitizing `CDATA` sections, making it susceptible to stack exhaustion and raising a `SystemStackError` exception.  This may lead to a denial of service through CPU resource consumption.


## Mitigation

Upgrade to Loofah `>= 2.19.1`.

Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.


## Severity

The Loofah maintainers have evaluated this as [High Severity 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).


## References

- [CWE - CWE-674: Uncontrolled Recursion (4.9)](https://cwe.mitre.org/data/definitions/674.html)

Improper detection of disallowed URIs by Loofah `allowed_uri?`
## Summary

`Loofah::HTML5::Scrub.allowed_uri?` does not correctly reject `javascript:` URIs when the scheme is split by HTML entity-encoded control characters such as `
` (carriage return), `
` (line feed), or `	` (tab).

## Details

The `allowed_uri?` method strips literal control characters before decoding HTML entities. Payloads like `java
script:alert(1)` survive the control character strip, then `
` is decoded to a carriage return, producing `java\rscript:alert(1)`.

Note that the Loofah sanitizer's default `sanitize()` path is **not affected** because Nokogiri decodes HTML entities during parsing before Loofah evaluates the URI protocol. This issue only affects direct callers of the `allowed_uri?` string-level helper when passing HTML-encoded strings.

## Impact

Applications that call `Loofah::HTML5::Scrub.allowed_uri?` to validate user-controlled URLs and then render approved URLs into `href` or other browser-interpreted URI attributes may be vulnerable to cross-site scripting (XSS).

This only affects Loofah `2.25.0`.

## Mitigation

Upgrade to Loofah >= `2.25.1`.

## Credit

Responsibly reported by HackOne user `@smlee`.

Inefficient Regular Expression Complexity in Loofah
## Summary

Loofah `< 2.19.1` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.


## Mitigation

Upgrade to Loofah `>= 2.19.1`.


## Severity

The Loofah maintainers have evaluated this as [High Severity 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).


## References

- [CWE - CWE-1333: Inefficient Regular Expression Complexity (4.9)](https://cwe.mitre.org/data/definitions/1333.html)
- https://hackerone.com/reports/1684163


## Credit

This vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q).