loofah 2.2.1

5 security vulnerabilities found in version 2.2.1

Uncontrolled Recursion in Loofah

high severity CVE-2022-23516
high severity CVE-2022-23516
Patched versions: >= 2.19.1
Unaffected versions: < 2.2.0

Summary

Loofah >= 2.2.0, < 2.19.1 uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a denial of service through CPU resource consumption.

Mitigation

Upgrade to Loofah >= 2.19.1.

Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.

Inefficient Regular Expression Complexity in Loofah

high severity CVE-2022-23514
high severity CVE-2022-23514
Patched versions: >= 2.19.1

Summary

Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.

Mitigation

Upgrade to Loofah >= 2.19.1.

Improper neutralization of data URIs may allow XSS in Loofah

medium severity CVE-2022-23515
medium severity CVE-2022-23515
Patched versions: >= 2.19.1
Unaffected versions: < 2.1.0

Summary

Loofah >= 2.1.0, < 2.19.1 is vulnerable to cross-site scripting via the image/svg+xml media type in data URIs.

Mitigation

Upgrade to Loofah >= 2.19.1.

Loofah XSS Vulnerability

medium severity CVE-2019-15587
medium severity CVE-2019-15587
Patched versions: >= 2.3.1

In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Loofah XSS Vulnerability

medium severity CVE-2018-16468
medium severity CVE-2018-16468
Patched versions: >= 2.2.3

In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

No license issues detected.


This gem version has a license in the gemspec.

This gem version is available.


This gem version has not been yanked and is still available for usage.