// For flags

CVE-2022-23514

Inefficient Regular Expression Complexity in Loofah

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. This issue is patched in version 2.19.1.

Loofah es una librería general para manipular y transformar documentos y fragmentos HTML / XML, construida sobre Nokogiri. Loofah &lt; 2.19.1 contiene una expresión regular ineficiente que es susceptible a un retroceso excesivo al intentar sanitizar ciertos atributos SVG. Esto puede provocar una denegación de servicio a través del consumo de recursos de CPU. Este problema está parcheado en la versión 2.19.1.

An inefficient regular expression vulnerability was found in rubygem loofah. While sanitizing certain SVG attributes, loofah is susceptible to excessive backtracking, which can result in a denial of service through CPU resource consumption.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-01-19 CVE Reserved
  • 2022-12-14 CVE Published
  • 2024-08-03 CVE Updated
  • 2024-08-04 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-1333: Inefficient Regular Expression Complexity
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Loofah Project
Search vendor "Loofah Project"
Loofah
Search vendor "Loofah Project" for product "Loofah"
< 2.19.1
Search vendor "Loofah Project" for product "Loofah" and version " < 2.19.1"
ruby
Affected