CVE-2022-23516 — Uncontrolled Recursion in Project Loofah

CWE-674 — Uncontrolled Recursion6 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.0%

top 87.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Loofah Project Loofah Debian Ruby-loofah Flavorjones Loofah

Timeline

PublishedDec 14

Description

Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah >= 2.2.0, < 2.19.1 uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a denial of service through CPU resource consumption. This issue is patched in version 2.19.1. Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strin…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/ruby-loofah< ruby-loofah 2.19.1-1 (bookworm)

▶NVDloofah_project/loofah2.2.0 — 2.19.1

▶RubyGemsloofah_project/loofah2.2.0 — 2.19.1

▶CVEListV5flavorjones/loofah>= 2.2.0, < 2.19.1

🔴Vulnerability Details

OSV

CVE-2022-23516: Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri↗2022-12-14

▶

OSV

Uncontrolled Recursion in Loofah↗2022-12-13

▶

GHSA

Uncontrolled Recursion in Loofah↗2022-12-13

▶

📋Vendor Advisories

Red Hat

rubygem-loofah: Uncontrolled Recursion leading to denial of service↗2022-12-13

▶

Debian

CVE-2022-23516: ruby-loofah - Loofah is a general library for manipulating and transforming HTML/XML documents...↗2022

▶