RubySec

Providing security resources for the Ruby community

CVE-2022-23514 (loofah): Inefficient Regular Expression Complexity in Loofah

ADVISORIES

GEM

loofah

SEVERITY

CVSS v3.x: 7.5 (High)

PATCHED VERSIONS

  • >= 2.19.1

DESCRIPTION

Summary

Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.

Mitigation

Upgrade to Loofah >= 2.19.1.

RELATED