CVE-2022-23514 (loofah): Inefficient Regular Expression Complexity in Loofah

ADVISORIES

CVE-2022-23514 (NVD)
GHSA-486f-hjj9-9vhh
Vendor Advisory

GEM

loofah

SEVERITY

CVSS v3.x: 7.5 (High)

PATCHED VERSIONS

>= 2.19.1

DESCRIPTION

Summary

Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.

Mitigation

Upgrade to Loofah >= 2.19.1.

https://cwe.mitre.org/data/definitions/1333.html
https://hackerone.com/reports/1684163

RubySec