Memray-generated HTML reports vulnerable to Stored XSS via unescaped command-line metadata
Description
Memray is a memory profiler for Python. Prior to Memray 1.19.2, Memray rendered the command line of the tracked process directly into generated HTML reports without escaping. Because there was no escaping, attacker-controlled command line arguments were inserted as raw HTML into the generated report. This allowed JavaScript execution when a victim opened the generated report in a browser. Version 1.19.2 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Memray prior to 1.19.2 has a stored XSS vulnerability because command-line arguments are rendered unescaped into HTML reports, allowing JavaScript execution when opened.
Vulnerability
Overview
Memray, a Python memory profiler, prior to version 1.19.2, contains a stored cross-site scripting (XSS) vulnerability. The root cause is that the command line of the tracked process is rendered directly into generated HTML reports without HTML escaping [1][3]. Specifically, when Memray uses Jinja to embed the process's command-line arguments into flame graph or table reports, it fails to instruct Jinja to escape the arguments, allowing attacker-controlled input to be inserted as raw HTML [3].
Exploitation
An attacker who can influence the script name or command-line arguments of a profiled program can inject arbitrary HTML/JavaScript into the generated reports [3]. For example, running Memray on a script with a filename like ` results in the injected HTML being embedded in the report [3]. The vulnerability affects both memray flamegraph and memray table reports, regardless of whether the --no-web flag is used [3]. In the case of memray attach`, the user generating the report may be different from the user who set the command-line arguments, widening the attack surface [3].
Impact
When a victim opens the generated HTML report in a browser, the injected JavaScript executes in the context of the report [2][3]. This stored XSS can lead to arbitrary code execution in the victim's browser, potentially allowing data theft, session hijacking, or other malicious actions. The vulnerability is present in Memray versions 1.19.1 and earlier [3].
Mitigation
The issue is fixed in Memray version 1.19.2 [2][3]. Users should upgrade to this version and avoid attaching Memray to untrusted processes until upgraded [3]. The fix ensures that command-line arguments are properly HTML-escaped before being embedded in reports, as demonstrated by the commit that adds escaping and corresponding tests [4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
memrayPyPI | < 1.19.2 | 1.19.2 |
Affected products
2- bloomberg/memrayv5Range: < 1.19.2
Patches
1ba6e4e2e9930Fix escaping in HTML reports
3 files changed · +46 −1
news/885.bugfix.rst+1 −0 added@@ -0,0 +1 @@ +Ensure the command line is properly HTML escaped when writing it into flamegraph and table reports.
src/memray/reporters/templates/base.html+1 −1 modified@@ -101,7 +101,7 @@ <h5 class="modal-title" id="statsModalLabel">Memray run stats</h5> </button> </div> <div class="modal-body"> - Command line: <code>{{ metadata.command_line }}</code><br> + Command line: <code>{{ metadata.command_line|e }}</code><br> Start time: <span id="stats-start-time"> {{ metadata.start_time }}</span><br> End time: <span id="stats-end-time"> {{ metadata.end_time }}</span><br> Duration: {{ metadata.end_time - metadata.start_time }}<br>
tests/unit/test_templates.py+44 −0 modified@@ -1,6 +1,11 @@ +from datetime import datetime + import pytest +from memray import Metadata +from memray._memray import FileFormat from memray.reporters.templates import get_report_title +from memray.reporters.templates import render_report @pytest.mark.parametrize( @@ -21,3 +26,42 @@ def test_title_for_regular_report(kind, show_memory_leaks, inverted, expected): ) == expected ) + + +@pytest.mark.parametrize( + "kind", + ["flamegraph", "table"], +) +def test_html_report_escaping(kind): + """Test that command line arguments are properly escaped.""" + # GIVEN + metadata = Metadata( + start_time=datetime(2024, 1, 1, 0, 0, 0), + end_time=datetime(2024, 1, 1, 0, 1, 0), + total_allocations=100, + total_frames=10, + peak_memory=1024, + command_line="python test.py </code>", + pid=12345, + main_thread_id=1, + python_allocator="pymalloc", + has_native_traces=False, + trace_python_allocators=False, + file_format=FileFormat.ALL_ALLOCATIONS, + ) + + # WHEN + html_output = render_report( + kind=kind, + data=[], + metadata=metadata, + memory_records=[], + show_memory_leaks=False, + merge_threads=False, + inverted=False, + no_web=True, + ) + + # THEN + assert html_output.count("<code>") == html_output.count("</code>") + assert "python test.py </code>" in html_output
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-r5pr-887v-m2w9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32722ghsaADVISORY
- github.com/bloomberg/memray/commit/ba6e4e2e9930f9641bed7adfdf43c8e2545ce249ghsax_refsource_MISCWEB
- github.com/bloomberg/memray/releases/tag/v1.19.2ghsax_refsource_MISCWEB
- github.com/bloomberg/memray/security/advisories/GHSA-r5pr-887v-m2w9ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.