VulnerableCode Package Details - pkg:gem/loofah@2.21.3

Search for packages

Vulnerability	Summary	Fixed by
VCID-amsh-qpt1-9qb7 Aliases: GHSA-46fp-8f5p-pf2m	Improper detection of disallowed URIs by Loofah `allowed_uri?` ## Summary `Loofah::HTML5::Scrub.allowed_uri?` does not correctly reject `javascript:` URIs when the scheme is split by HTML entity-encoded control characters such as ` ` (carriage return), ` ` (line feed), or ` ` (tab). ## Details The `allowed_uri?` method strips literal control characters before decoding HTML entities. Payloads like `java script:alert(1)` survive the control character strip, then ` ` is decoded to a carriage return, producing `java\rscript:alert(1)`. Note that the Loofah sanitizer's default `sanitize()` path is not affected because Nokogiri decodes HTML entities during parsing before Loofah evaluates the URI protocol. This issue only affects direct callers of the `allowed_uri?` string-level helper when passing HTML-encoded strings. ## Impact Applications that call `Loofah::HTML5::Scrub.allowed_uri?` to validate user-controlled URLs and then render approved URLs into `href` or other browser-interpreted URI attributes may be vulnerable to cross-site scripting (XSS). This only affects Loofah `2.25.0`. ## Mitigation Upgrade to Loofah >= `2.25.1`. ## Credit Responsibly reported by HackOne user `@smlee`.	2.25.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-amsh-qpt1-9qb7
Aliases:
GHSA-46fp-8f5p-pf2m

Improper detection of disallowed URIs by Loofah `allowed_uri?` ## Summary `Loofah::HTML5::Scrub.allowed_uri?` does not correctly reject `javascript:` URIs when the scheme is split by HTML entity-encoded control characters such as `` (carriage return), `
` (line feed), or `	` (tab). ## Details The `allowed_uri?` method strips literal control characters before decoding HTML entities. Payloads like `javascript:alert(1)` survive the control character strip, then `` is decoded to a carriage return, producing `java\rscript:alert(1)`. Note that the Loofah sanitizer's default `sanitize()` path is **not affected** because Nokogiri decodes HTML entities during parsing before Loofah evaluates the URI protocol. This issue only affects direct callers of the `allowed_uri?` string-level helper when passing HTML-encoded strings. ## Impact Applications that call `Loofah::HTML5::Scrub.allowed_uri?` to validate user-controlled URLs and then render approved URLs into `href` or other browser-interpreted URI attributes may be vulnerable to cross-site scripting (XSS). This only affects Loofah `2.25.0`. ## Mitigation Upgrade to Loofah >= `2.25.1`. ## Credit Responsibly reported by HackOne user `@smlee`.

2.25.1
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T17:41:47.569803+00:00	Ruby Importer	Affected by	VCID-amsh-qpt1-9qb7	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/GHSA-46fp-8f5p-pf2m.yml	38.4.0
2026-04-11T21:39:55.372811+00:00	Ruby Importer	Affected by	VCID-amsh-qpt1-9qb7	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/GHSA-46fp-8f5p-pf2m.yml	38.3.0
2026-04-02T19:37:13.513496+00:00	Ruby Importer	Affected by	VCID-amsh-qpt1-9qb7	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/GHSA-46fp-8f5p-pf2m.yml	38.1.0
2026-04-01T15:55:04.539129+00:00	Ruby Importer	Affected by	VCID-amsh-qpt1-9qb7	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/GHSA-46fp-8f5p-pf2m.yml	38.0.0