loofah 1.2.1

4 security vulnerabilities found in version 1.2.1

Inefficient Regular Expression Complexity in Loofah

high severity CVE-2022-23514
high severity CVE-2022-23514
Patched versions: >= 2.19.1

Summary

Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.

Mitigation

Upgrade to Loofah >= 2.19.1.

Loofah XSS Vulnerability

medium severity CVE-2019-15587
medium severity CVE-2019-15587
Patched versions: >= 2.3.1

In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Loofah XSS Vulnerability

medium severity CVE-2018-8048
medium severity CVE-2018-8048
Patched versions: >= 2.2.1

Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.

Loofah XSS Vulnerability

medium severity CVE-2018-16468
medium severity CVE-2018-16468
Patched versions: >= 2.2.3

In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

Author did not declare license for this gem in the gemspec.


This gem version has a MIT license in the source code, however it was not declared in the gemspec file.

This gem version is available.


This gem version has not been yanked and is still available for usage.