Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
💎 RubyGems

GHSA-w67g-2h6v-vjgq

HIGH

Phlex XSS protection bypass via attribute splatting, dynamic tags, and href values

Published
Feb 6, 2026
Updated
Feb 6, 2026
Affected
6 pkgs
Patched
6 / 6
Exploits
None indexed

Blast Radius

6 pkgs affected
💎phlex💎phlex💎phlex💎phlex💎phlex💎phlex

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects RubyGems packages — download data is not available via public APIs for these ecosystems.

Description

Impact

During a security audit conducted with Claude Opus 4.6 and GPT-5.3-Codex, we identified three specific ways to bypass the XSS (cross-site-scripting) protection built into Phlex.

  1. The first bypass could happen if user-provided attributes with string keys were splatted into HTML tag, e.g. div(**user_attributes).
  2. The second bypass could happen if user-provided tag names were passed to the tag method, e.g. tag(some_tag_name_from_user).
  3. The third bypass could happen if user’s links were passed to href attributes, e.g. a(href: user_provided_link).

All three of these patterns are meant to be safe and all have now been patched.

Patches

Phlex has patched all three issues and introduced new tests that run against Safari, Firefox and Chrome.

The patched versions are:

Phlex has also patched the main branch in GitHub.

Workarounds

If a project uses a secure CSP (content security policy) or if the application doesn’t use any of the above patterns, it is not at risk.

Affected Packages

6 total 6 fixed
EcosystemPackageVulnerable rangeFix
💎RubyGemsphlex2.4.0.beta1&&< 2.4.12.4.1
💎RubyGemsphlex2.3.0&&< 2.3.22.3.2
💎RubyGemsphlex2.2.0&&< 2.2.22.2.2
💎RubyGemsphlex2.1.0&&< 2.1.32.1.3
💎RubyGemsphlex2.0.0.beta1&&< 2.0.22.0.2
💎RubyGemsphlexall versions1.11.1

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for phlex. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update phlex to 2.4.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-w67g-2h6v-vjgq is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-w67g-2h6v-vjgq is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-w67g-2h6v-vjgq. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Impact During a security audit conducted with Claude Opus 4.6 and GPT-5.3-Codex, we identified three specific ways to bypass the XSS (cross-site-scripting) protection built into Phlex. 1. The first bypass could happen if user-provided attributes with string keys were splatted into HTML tag, e.g. `div(**user_attributes)`. 2. The second bypass could happen if user-provided tag names were passed to the `tag` method, e.g. `tag(some_tag_name_from_user)`. 3. The third bypass could happen if user’s links were passed to `href` attributes, e.g. `a(href: user_provided_link)`. All three of these p
O3 Security · Impact-Aware SCA

Is GHSA-w67g-2h6v-vjgq in your dependencies?

O3 detects GHSA-w67g-2h6v-vjgq across RubyGems dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works