Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

GHSA-w67g-2h6v-vjgq

Phlex XSS protection bypass via attribute splatting, dynamic tags, and href values
Back to all
CVE

GHSA-w67g-2h6v-vjgq

Phlex XSS protection bypass via attribute splatting, dynamic tags, and href values

Impact

During a security audit conducted with Claude Opus 4.6 and GPT-5.3-Codex, we identified three specific ways to bypass the XSS (cross-site-scripting) protection built into Phlex.

  1. The first bypass could happen if user-provided attributes with string keys were splatted into HTML tag, e.g. div(**user_attributes).
  2. The second bypass could happen if user-provided tag names were passed to the tag method, e.g. tag(sometagnamefromuser).
  3. The third bypass could happen if user’s links were passed to href attributes, e.g. a(href: userprovidedlink).

All three of these patterns are meant to be safe and all have now been patched.

Patches

Phlex has patched all three issues and introduced new tests that run against Safari, Firefox and Chrome.

The patched versions are:

Phlex has also patched the main branch in GitHub.

Workarounds

If a project uses a secure CSP (content security policy) or if the application doesn’t use any of the above patterns, it is not at risk.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
C
H
U
-

Related Resources

No items found.

References

https://github.com/yippee-fun/phlex/security/advisories/GHSA-w67g-2h6v-vjgq, https://github.com/yippee-fun/phlex/commit/1d85da417cb15eb8cb2f54a68d531c9b35d9d03a, https://github.com/yippee-fun/phlex/commit/556441d5a64ff93f749e8116a05b2d97264468ee, https://github.com/yippee-fun/phlex/commit/74e3d8610ffabc2cf5f241945e9df4b14dceb97d, https://github.com/yippee-fun/phlex/commit/9f56ad13bea9a7d6117fdfd510446c890709eeac, https://github.com/yippee-fun/phlex/commit/fe9ea708672f9fa42526d9b47e1cdc4634860ef1, https://github.com/yippee-fun/phlex

Severity

7.1

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.1
EPSS Probability
0%
EPSS Percentile
0%
Introduced Version
2.4.0.beta1,2.3.0,2.2.0,2.1.0,2.0.0.beta1,0
Fix Available
2.4.1,2.3.2,2.2.2,2.1.3,2.0.2,1.11.1

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading