govuk_tech_docs XSS Vulnerability
Description
govuk_tech_docs versions from 2.0.2 to before 3.3.1 are vulnerable to a cross-site scripting vulnerability. Malicious JavaScript may be executed in the user's browser if a malicious search result is displayed on the search page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Govuk_tech_docs versions 2.0.2 to 3.3.0 are vulnerable to XSS via unsanitized HTML in search results, allowing arbitrary JavaScript execution.
Vulnerability
Details
The vulnerability is a cross-site scripting (XSS) flaw in the govuk_tech_docs gem, a Ruby gem that distributes the Tech Docs Template for building GOV.UK-style technical documentation. Affected versions range from 2.0.2 to before 3.3.1. The issue arises because pages indexed in search results have their entire contents indexed, including HTML code snippets. These snippets appear unsanitized in search results, enabling the injection of arbitrary HTML or scripts [1].
Exploitation
Exploitation requires an attacker to commit malicious code to a page that is indexed by a site using the gem. In practice, such pages are typically not editable by untrusted users, making the attack largely theoretical. However, if an attacker succeeds, users can be tricked into visiting a pre-constructed URL (e.g., /search/index.html?q=some+search+term) through social engineering, triggering the XSS [3].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser within the context of the affected site. This can lead to session hijacking, data theft, or other malicious actions, depending on the site's functionality [1].
Mitigation
The vulnerability was patched in version 3.3.1. The fix sanitizes HTML before rendering it to the search results page using jQuery's text() function, while preserving the `` highlighting behavior for search terms [3] [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
govuk_tech_docsRubyGems | >= 2.0.2, < 3.3.1 | 3.3.1 |
Affected products
1- Range: 2.0.2, v2.0.11, v2.0.6, …
Patches
1a51c7058cec4Merge pull request #323 from alphagov/fix-xss
3 files changed · +12 −2
CHANGELOG.md+4 −0 modified@@ -2,6 +2,10 @@ ## Unreleased +This change solves a potential security issue with HTML snippets. Pages indexed in search results have their entire contents indexed, including any HTML code snippets. These HTML snippets would appear in the search results unsanitised, making it possible to render arbitrary HTML or run arbitrary scripts. + +You can see more detail about this issue at [#323: Fix XSS vulnerability on search results page](https://github.com/alphagov/tech-docs-gem/pull/323) + ## 3.3.0 ### New features
lib/assets/javascripts/_modules/search.js+2 −2 modified@@ -169,8 +169,8 @@ this.processContent = function processContent (content, query) { var output - content = '<div>' + content + '</div>' - content = $(content).mark(query) + var sanitizedContent = $('<div></div>').text(content).html() + content = $('<div>' + sanitizedContent + '</div>').mark(query) // Split content by sentence. var sentences = content.html().replace(/(\.+|:|!|\?|\r|\n)("*|'*|\)*|}*|]*)/gm, '|').split('|')
spec/javascripts/search-spec.js+6 −0 modified@@ -99,5 +99,11 @@ describe('Search', function () { var expectedResults = ' … This is <mark data-markjs="true">test</mark> sentence one … This is <mark data-markjs="true">test</mark> sentence two … This is <mark data-markjs="true">test</mark> sentence three … This is <mark data-markjs="true">test</mark> sentence four … This is <mark data-markjs="true">test</mark> sentence five … ' expect(processedContent).toEqual(expectedResults) }) + + it('sanitises HTML in the search results', function () { + processedContent = module.processContent('It will render multiple `<input>` `<script>alert("uhoh")</script>` and its accompanying suggestions and `aria-live` region.', 'multi region') + var expectedResults = ' … It will render <mark data-markjs="true">multi</mark>ple `<input>` `<script>alert("uhoh")</script>` and its accompanying suggestions and `aria-live` <mark data-markjs="true">region</mark> … ' + expect(processedContent).toEqual(expectedResults) + }) }) })
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/alphagov/tech-docs-gem/pull/323ghsapatchWEB
- github.com/advisories/GHSA-x2xw-hw8g-6773ghsathird-party-advisoryADVISORY
- github.com/alphagov/tech-docs-gem/security/advisories/GHSA-x2xw-hw8g-6773ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-22048ghsaADVISORY
- vulncheck.com/advisories/vc-advisory-GHSA-x2xw-hw8g-6773mitrethird-party-advisory
- github.com/alphagov/tech-docs-gem/commit/a51c7058cec46bf2a4e25a1da62b14ac3fd46b53ghsaWEB
- github.com/alphagov/tech-docs-gem/releases/tag/v3.3.1ghsarelatedWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/govuk_tech_docs/CVE-2024-22048.ymlghsaWEB
News mentions
0No linked articles in our index yet.