ewen-lbh/ffcss late-Unicode normalization vulnerability
Description
ffcss prior to 0.2.0 has a Unicode normalization bypass in lookupPreprocess() allowing re-introduction of filtered characters, enabling theme search manipulation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ffcss prior to 0.2.0 has a Unicode normalization bypass in lookupPreprocess() allowing re-introduction of filtered characters, enabling theme search manipulation.
Vulnerability
ffcss before version 0.2.0 contains a flaw in the lookupPreprocess() function, which is intended to sanitize search strings by removing dashes, underscores, and dots via a regular expression. However, the function applies Unicode normalization (NFKD) after the regex replacement, allowing an attacker to bypass the filter by using Unicode equivalents of the filtered characters (e.g., U+FE4D for underscore, U+2024 for dot) [1][3]. The normalization then converts these equivalents back to the original characters, reintroducing them into the string [4].
Exploitation
The lookupPreprocess() function processes user-controlled data from command-line arguments [3]. An attacker can supply a crafted string containing Unicode equivalents to bypass the character removal. Since the function is only used for loose theme searching (case-insensitive, ignoring dashes, underscores, and dots), exploitation does not require authentication or special privileges [2].
Impact
The impact is classified as low severity [2]. An attacker could manipulate theme search results, potentially leading to unintended exposure or selection of themes, but no code execution or data compromise is achievable [3].
Mitigation
The vulnerability is fixed in ffcss version 0.2.0 by performing Unicode normalization before regex replacement [4]. There are no known workarounds; users should update to the latest version [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/ewen-lbh/ffcssGo | < 0.2.0 | 0.2.0 |
Affected products
2Patches
1f9c491874b85Perform the Unicode Normalization first.
1 file changed · +1 −1
catalog.go+1 −1 modified@@ -42,7 +42,7 @@ func (store Catalog) Lookup(query string) (Theme, error) { // to search for something. // For example, it is used by (ThemeStore).Lookup func lookupPreprocess(s string) string { - return strings.ToLower(norm.NFKD.String(regexp.MustCompile(`[-_ .]`).ReplaceAllString(s, ""))) + return strings.ToLower(regexp.MustCompile(`[-_ .]`).ReplaceAllString(norm.NFKD.String(s), "")) } // LoadCatalog loads a directory of theme manifests.
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-wpmx-564x-h2mhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-52081ghsaADVISORY
- github.com/ewen-lbh/ffcss/commit/f9c491874b858a32fcae15045f169fd7d02f90dcghsax_refsource_MISCWEB
- github.com/ewen-lbh/ffcss/security/advisories/GHSA-wpmx-564x-h2mhghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.