Phoenix phoenix_html Patches Critical XSS Flaw in HEEx Class Attributes — CVE-2021-46871

A security patch has been merged into the Phoenix Framework's phoenix_html package, addressing a cross-site scripting vulnerability in HEEx templates that could allow attackers to inject malicious scripts through class attributes. The update bumps phoenix_html from version 2.14.2 to 3.0.0, resolving the flaw tracked as CVE-2021-46871.

The vulnerability specifically affects tag.ex in phoenix_html versions prior to 3.0.4. HEEx, Phoenix's HTML-embedded template engine, failed to properly sanitize class attribute values, creating a vector for XSS attacks when user-supplied data was rendered in template classes. The flaw carries a CVSS score of 6.1 out of 10, classified as medium severity, with a network-based attack vector requiring user interaction to exploit.

Developers relying on Phoenix Framework for web applications are advised to verify their dependency trees and ensure phoenix_html is updated to version 3.0.0 or later. The vulnerability poses the greatest risk to applications that dynamically render user content within HEEx templates, particularly in class attribute contexts. Security advisories linked to this CVE (GHSA-5g2h-9x5v-5h3x) recommend immediate patching for any affected deployments.