CVE-2022-23514 (loofah): Inefficient Regular Expression Complexity in Loofah

Inefficient Regular Expression Complexity in Loofah

Published: December 13, 2022

SECURITY IDENTIFIERS

CVE: CVE-2022-23514 (NVD)
GHSA: GHSA-486f-hjj9-9vhh
Vendor Advisory: https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh

GEM

loofah

SEVERITY

CVSS v3.x: 7.5 (High)

PATCHED VERSIONS

>= 2.19.1

DESCRIPTION

Summary

Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.

Mitigation

Upgrade to Loofah >= 2.19.1.

https://cwe.mitre.org/data/definitions/1333.html
https://hackerone.com/reports/1684163

RubySec