cvedb.io
CVE-2022-23516
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2022-12-14T14:15:10.627 · Last modified 2026-06-17T04:30:16.837

Summary

Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah >= 2.2.0, < 2.19.1 uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a denial of service through CPU resource consumption. This issue is patched in version 2.19.1. Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.

Affected products

loofah_project — loofah

Does this affect you?

Add your gear to cvedb and we'll alert you only when loofah_project ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.