GHSA-3x8r-x6xp-q4vm

Source

https://github.com/advisories/GHSA-3x8r-x6xp-q4vm

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-3x8r-x6xp-q4vm/GHSA-3x8r-x6xp-q4vm.json

Aliases

CVE-2022-23516

Published

2022-12-13T17:40:50Z

Modified

2024-02-16T08:21:44.673110Z

Summary

Uncontrolled Recursion in Loofah

Details

Summary

Loofah >= 2.2.0, < 2.19.1 uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a denial of service through CPU resource consumption.

Mitigation

Upgrade to Loofah >= 2.19.1.

Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.

Severity

The Loofah maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

CWE - CWE-674: Uncontrolled Recursion (4.9)

References

Affected packages

RubyGems / loofah

Package

Name: loofah

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.2.0

Fixed

2.19.1

Affected versions

2.*

2.2.0

2.2.1

2.2.2

2.2.3

2.3.0

2.3.1

2.4.0

2.5.0

2.6.0

2.7.0

2.8.0

2.9.0

2.9.1

2.10.0

2.11.0

2.12.0

2.13.0

2.14.0

2.15.0

2.16.0

2.17.0

2.18.0

2.19.0