GHSA-W67G-2H6V-VJGQ
Vulnerability from github – Published: 2026-02-06 19:35 – Updated: 2026-02-06 19:35
VLAI?
Summary
Phlex XSS protection bypass via attribute splatting, dynamic tags, and href values
Details
Impact
During a security audit conducted with Claude Opus 4.6 and GPT-5.3-Codex, we identified three specific ways to bypass the XSS (cross-site-scripting) protection built into Phlex.
- The first bypass could happen if user-provided attributes with string keys were splatted into HTML tag, e.g.
div(**user_attributes). - The second bypass could happen if user-provided tag names were passed to the
tagmethod, e.g.tag(some_tag_name_from_user). - The third bypass could happen if user’s links were passed to
hrefattributes, e.g.a(href: user_provided_link).
All three of these patterns are meant to be safe and all have now been patched.
Patches
Phlex has patched all three issues and introduced new tests that run against Safari, Firefox and Chrome.
The patched versions are:
Phlex has also patched the main branch in GitHub.
Workarounds
If a project uses a secure CSP (content security policy) or if the application doesn’t use any of the above patterns, it is not at risk.
Severity ?
7.1 (High)
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "phlex"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0.beta1"
},
{
"fixed": "2.4.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "phlex"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "phlex"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "phlex"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "phlex"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0.beta1"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "phlex"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.11.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-06T19:35:09Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n\nDuring a security audit conducted with Claude Opus 4.6 and GPT-5.3-Codex, we identified three specific ways to bypass the XSS (cross-site-scripting) protection built into Phlex.\n\n1. The first bypass could happen if user-provided attributes with string keys were splatted into HTML tag, e.g. `div(**user_attributes)`.\n2. The second bypass could happen if user-provided tag names were passed to the `tag` method, e.g. `tag(some_tag_name_from_user)`.\n3. The third bypass could happen if user\u2019s links were passed to `href` attributes, e.g. `a(href: user_provided_link)`.\n\nAll three of these patterns are meant to be safe and all have now been patched.\n\n### Patches\n\nPhlex has patched all three issues and introduced new tests that run against Safari, Firefox and Chrome.\n\nThe patched versions are:\n\n- [2.4.1](https://rubygems.org/gems/phlex/versions/2.4.1)\n- [2.3.2](https://rubygems.org/gems/phlex/versions/2.3.2)\n- [2.2.2](https://rubygems.org/gems/phlex/versions/2.2.2)\n- [2.1.3](https://rubygems.org/gems/phlex/versions/2.1.3)\n- [2.0.2](https://rubygems.org/gems/phlex/versions/2.0.3)\n- [1.11.1](https://rubygems.org/gems/phlex/versions/1.11.1)\n\nPhlex has also patched the [`main`](https://github.com/yippee-fun/phlex) branch in GitHub.\n\n### Workarounds\nIf a project uses a secure CSP (content security policy) or if the application doesn\u2019t use any of the above patterns, it is not at risk.",
"id": "GHSA-w67g-2h6v-vjgq",
"modified": "2026-02-06T19:35:09Z",
"published": "2026-02-06T19:35:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/yippee-fun/phlex/security/advisories/GHSA-w67g-2h6v-vjgq"
},
{
"type": "WEB",
"url": "https://github.com/yippee-fun/phlex/commit/1d85da417cb15eb8cb2f54a68d531c9b35d9d03a"
},
{
"type": "WEB",
"url": "https://github.com/yippee-fun/phlex/commit/556441d5a64ff93f749e8116a05b2d97264468ee"
},
{
"type": "WEB",
"url": "https://github.com/yippee-fun/phlex/commit/74e3d8610ffabc2cf5f241945e9df4b14dceb97d"
},
{
"type": "WEB",
"url": "https://github.com/yippee-fun/phlex/commit/9f56ad13bea9a7d6117fdfd510446c890709eeac"
},
{
"type": "WEB",
"url": "https://github.com/yippee-fun/phlex/commit/fe9ea708672f9fa42526d9b47e1cdc4634860ef1"
},
{
"type": "PACKAGE",
"url": "https://github.com/yippee-fun/phlex"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Phlex XSS protection bypass via attribute splatting, dynamic tags, and href values"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…