N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-v33j-v3x4-42qg

GHSA-v33j-v3x4-42qg: Regex literal in Hurl files are not escaped when exported to HTML, allowing injections

Given this Hurl file:

regex.hurl:

GET https://foo.com
HTTP 200
[Asserts]
jsonpath "$.body" matches /<img src="" onerror="alert('Hi!')">/

When exported to HTML:

$ hurlfmt --out html regex.hurl
<pre><code class="language-hurl"><span class="hurl-entry"><span class="request"><span class="line"><span class="method">GET</span> <span class="url">https://foo.com</span></span>
</span><span class="response"><span class="line"><span class="version">HTTP</span> <span class="number">200</span></span>
<span class="line"><span class="section-header">[Asserts]</span></span>
<span class="line"><span class="query-type">jsonpath</span> <span class="string">"$.body"</span> <span class="predicate-type">matches</span> <span class="regex">/<img src="" onerror="alert('Hi!')">/</span></span>
</span></span><span class="line"></span>
</code></pre>

The regex literal /<img src="" onerror="alert('Hi!')">/ is not escaped:

<span class="regex">/<img src="" onerror="alert('Hi!')">/</span></span>

When opened in a browser, the code is run without user interaction:

regex

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-v33j-v3x4-42qg

GHSA-v33j-v3x4-42qg:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
hurl	rust	<= 6.1.1	7.0.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the HTML export functionality of Hurl files, specifically how regular expression literals are handled. The hurlfmt tool uses the hurl_core library, and within that, the hurl_core::format::html::HtmlFormatter class was responsible for generating HTML.

Before the fix (commit 7dcdbd1796785392b1e829d1f07c6687b9a8f27d), the method hurl_core::format::html::HtmlFormatter::fmt_regex would take a regex object, convert it to its string representation using regex.to_source().as_str(), and then pass this raw string to another method, fmt_span. The fmt_span method would then construct an HTML <span> tag and embed the provided string (the regex literal) directly into it using self.buffer.push_str(value); without any HTML escaping.

This meant that if a regex literal in a Hurl file contained characters like <, >, &, or quotes, along with JavaScript (e.g., an onerror attribute in an <img> tag), these would be written as-is into the HTML output. When such an HTML report was opened in a browser, the embedded HTML and JavaScript would be parsed and executed, leading to a Cross-Site Scripting (XSS) vulnerability.

The fix in commit 7dcdbd1796785392b1e829d1f07c6687b9a8f27d involved a significant refactoring of the HTML formatting logic. The old, direct string manipulation methods like fmt_regex and fmt_span were replaced with a new AST (Abstract Syntax Tree) visitor pattern. In this new pattern, the HtmlFormatter::visit_regex method now calls self.push_source(), which in turn calls self.push_untrusted(). The push_untrusted method explicitly escapes HTML special characters (&, <, >) before appending the string to the buffer, thus mitigating the XSS vulnerability. The integration test added in commit 248ac41cfa1797c52241c6ef756490d90027cdf2 further confirms this behavior by checking that a malicious regex is correctly escaped in the HTML output.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-v33j-v3x4-42qg: Regex literal in Hurl files are not escaped when exported to HTML, allowing injections

GHSA-v33j-v3x4-42qg:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

GHSA-v33j-v3x4-42qg: Regex literal in Hurl files are not escaped when exported to HTML, allowing injections

Technical Details

N/A

N/A

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI