CVE-2022-23516: Uncontrolled Recursion in Loofah
(updated )
Loofah >= 2.2.0, < 2.19.1 uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a denial of service through CPU resource consumption.
References
- github.com/advisories/GHSA-3x8r-x6xp-q4vm
- github.com/flavorjones/loofah
- github.com/flavorjones/loofah/commit/86f7f6364491b0099d215db858ecdc0c89ded040
- github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm
- github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2022-23516.yml
- lists.debian.org/debian-lts-announce/2023/09/msg00011.html
- lists.debian.org/debian-lts-announce/2024/09/msg00044.html
- nvd.nist.gov/vuln/detail/CVE-2022-23516
Code Behaviors & Features
Detect and mitigate CVE-2022-23516 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →