ADVISORIES

• GHSA-w67g-2h6v-vjgq
• Vendor Advisory

GEM

phlex

SEVERITY

CVSS v3.x: 7.1 (High)

PATCHED VERSIONS

• ~> 1.11.1
• ~> 2.0.2
• ~> 2.1.3
• ~> 2.2.2
• ~> 2.3.2
• >= 2.4.1

DESCRIPTION

Impact

During a security audit conducted with Claude Opus 4.6 and GPT-5.3-Codex, we identified three specific ways to bypass the XSS (cross-site-scripting) protection built into Phlex.

1. The first bypass could happen if user-provided attributes with string keys were splatted into HTML tag, e.g. div(**user_attributes).

2. The second bypass could happen if user-provided tag names were passed to the tag method, e.g. tag(some_tag_name_from_user).

3. The third bypass could happen if user’s links were passed to href attributes, e.g. a(href: user_provided_link).

All three of these patterns are meant to be safe and all have now been patched.

Patches

Phlex has patched all three issues and introduced new tests that run against Safari, Firefox and Chrome.

The patched versions are:

• 2.4.1
• 2.3.2
• 2.2.2
• 2.1.3
• 2.0.2
• 1.11.1

Phlex has also patched the main branch in GitHub.

Workarounds

If a project uses a secure CSP (content security policy) or if the application doesn’t use any of the above patterns, it is not at risk.

RELATED

• https://github.com/yippee-fun/phlex/security/advisories/GHSA-w67g-2h6v-vjgq
• https://github.com/yippee-fun/phlex/commit/1d85da417cb15eb8cb2f54a68d531c9b35d9d03a
• https://github.com/yippee-fun/phlex/commit/556441d5a64ff93f749e8116a05b2d97264468ee
• https://github.com/yippee-fun/phlex/commit/74e3d8610ffabc2cf5f241945e9df4b14dceb97d
• https://github.com/yippee-fun/phlex/commit/9f56ad13bea9a7d6117fdfd510446c890709eeac
• https://github.com/yippee-fun/phlex/commit/fe9ea708672f9fa42526d9b47e1cdc4634860ef1
• https://github.com/advisories/GHSA-w67g-2h6v-vjgq