Summary
Workarounds
Pre-process content removing non-ASCII characters from URI schemes before sanitizing with bleach.clean.
A strong Content-Security-Policy without unsafe-inline and unsafe-eval script-srcs will also help mitigate the risk.
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=2023812
- RFC 3986, Section 3.1 (URI Scheme syntax): scheme characters are restricted to ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )
Reported by
Reported by codeant from CodeAnt AI.
Impact
A possible XSS bypass affects users calling bleach.clean with all of:
ain the allowed tagshrefin allowed attributes
The bleach.clean sanitizer outputs URIs containing disallowed scheme patterns that it should be stripping. However, because the inserted Unicode characters make the scheme invalid per RFC 3986, modern browsers do not execute these as javascript: URIs. The practical security impact is limited to:
- Bleach's output contains URI values that violate the caller's protocol allowlist, breaking the sanitizer's contract.
- If a downstream system performs its own Unicode normalization on bleach's output (stripping invisible characters before rendering), the javascript: scheme could become valid. This is a non-standard processing chain but represents a theoretical secondary risk.
This is not a direct XSS vulnerability.
Python code example from reporter with Bleach v6.3.0 and Python 3.13:
import bleach
payload1 = '<a href="javascript\u200b:alert(document.cookie)">Click me</a>'
result1 = bleach.clean(payload1)
print(f"(ZWSP): {repr(result1)}")
Output:
(ZWSP): '<a href="javascript\u200b:alert(document.cookie)">Click me</a>'
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Users should upgrade to Bleach 6.4.0.
Frequently Asked Questions
- What is GHSA-8RFP-98V4-MMR6? GHSA-8RFP-98V4-MMR6 is a low-severity security vulnerability in bleach (pip), affecting versions <= 6.3.0. It is fixed in 6.4.0.
- Which versions of bleach are affected by GHSA-8RFP-98V4-MMR6? bleach (pip) versions <= 6.3.0 is affected.
- Is there a fix for GHSA-8RFP-98V4-MMR6? Yes. GHSA-8RFP-98V4-MMR6 is fixed in 6.4.0. Upgrade to this version or later.
- Is GHSA-8RFP-98V4-MMR6 exploitable, and should I be worried? Whether GHSA-8RFP-98V4-MMR6 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-8RFP-98V4-MMR6 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-8RFP-98V4-MMR6? Upgrade
bleachto 6.4.0 or later.