VYPR
← All advisories
Moderate severityNVD Advisory· Published Oct 22, 2019· Updated Aug 5, 2024

CVE-2019-15587

CVE-2019-15587

Description

In the Loofah gem for Ruby through v2.3.0 unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Loofah gem through v2.3.0 fails to sanitize the SVG animate 'values' attribute, allowing XSS via crafted SVG elements.

Vulnerability

CVE-2019-15587 is a cross-site scripting (XSS) vulnerability in the Loofah gem for Ruby, affecting versions through 2.3.0. Loofah is a library for HTML/XML sanitization and transformation built on Nokogiri. The flaw exists because the sanitizer does not remove the values attribute from SVG `` elements, allowing an attacker to inject JavaScript code via a crafted SVG element [1][2][4].

Exploitation

An attacker can exploit this vulnerability by publishing a sanitized SVG element that contains a malicious values attribute on an `` tag. The Loofah sanitizer, when configured to escape or prune unsafe content, fails to strip this attribute, leaving the JavaScript payload intact. The attack requires the attacker to supply crafted SVG markup that passes through the sanitizer but still executes code in the user's browser [2][4].

Impact

If successful, the attacker can execute arbitrary JavaScript in the context of the user's session, potentially leading to theft of sensitive data, session hijacking, or other client-side attacks. While the user must view the crafted SVG content (e.g., through a web application that republishes user-supplied sanitized HTML), the vulnerability bypasses the intended XSS protections provided by Loofah [1][2][4].

Mitigation

The issue was addressed in Loofah commit 0c6617a, which extends sanitization to cover the values attribute on SVG animate elements. Users should upgrade to Loofah version 2.3.1 or later to apply this fix [4]. No workaround is publicly documented; the safest mitigation is to update the gem.

References
  1. GitHub - flavorjones/loofah: Ruby library for HTML/XML transformation and sanitization
  2. NVD - CVE-2019-15587
  3. mitigate XSS vulnerability in SVG animate attributes · flavorjones/loofah@0c6617a

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
loofahRubyGems
< 2.3.12.3.1

Affected products

13

Patches

1
0c6617af4408

mitigate XSS vulnerability in SVG animate attributes

https://github.com/flavorjones/loofahMike DalessioOct 9, 2019via ghsa
commit
2 files changed · +24 9
  • lib/loofah/html5/safelist.rb+0 3 modified
    @@ -360,7 +360,6 @@ module SafeList
                                  "baseProfile",
                                  "bbox",
                                  "begin",
-                                 "by",
                                  "calcMode",
                                  "cap-height",
                                  "class",
@@ -467,7 +466,6 @@ module SafeList
                                  "systemLanguage",
                                  "target",
                                  "text-anchor",
-                                 "to",
                                  "transform",
                                  "type",
                                  "u1",
@@ -477,7 +475,6 @@ module SafeList
                                  "unicode",
                                  "unicode-range",
                                  "units-per-em",
-                                 "values",
                                  "version",
                                  "viewBox",
                                  "visibility",
  • test/integration/test_ad_hoc.rb+24 6 modified
    @@ -188,14 +188,32 @@ def test_dont_remove_whitespace_between_tags
       end
     end
 
-    # see:
-    # - https://github.com/flavorjones/loofah/issues/154
-    # - https://hackerone.com/reports/429267
-    context "xss protection from svg xmlns:xlink animate attribute" do
-      it "sanitizes appropriate attributes" do
-        html = %Q{<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26>}
+    context "xss protection from svg animate attributes" do
+      # see recommendation from https://html5sec.org/#137
+      # to sanitize "to", "from", "values", and "by" attributes
+
+      it "sanitizes 'from', 'to', and 'by' attributes" do
+        # for CVE-2018-16468
+        # see:
+        # - https://github.com/flavorjones/loofah/issues/154
+        # - https://hackerone.com/reports/429267
+        html = %Q{<svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26 by=5>}
+
         sanitized = Loofah.scrub_fragment(html, :escape)
         assert_nil sanitized.at_css("animate")["from"]
+        assert_nil sanitized.at_css("animate")["to"]
+        assert_nil sanitized.at_css("animate")["by"]
+      end
+
+      it "sanitizes 'values' attribute" do
+        # for CVE-2019-15587
+        # see:
+        # - https://github.com/flavorjones/loofah/issues/171
+        # - https://hackerone.com/reports/709009
+        html = %Q{<svg> <animate href="#foo" attributeName="href" values="javascript:alert('xss')"/> <a id="foo"> <circle r=400 /> </a> </svg>}
+
+        sanitized = Loofah.scrub_fragment(html, :escape)
+        assert_nil sanitized.at_css("animate")["values"]
       end
     end
   end

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

15

News mentions

0

No linked articles in our index yet.