PT-2022-16044 · Loofah+4 · Loofah+4

Ooooooo_Q

Published

2022-12-13

Updated

2026-03-13

CVE-2022-23514

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Loofah versions prior to 2.19.1

Description Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. It contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.

Recommendations Upgrade to Loofah version 2.19.1 or later. As a temporary workaround, consider restricting the use of Loofah for sanitizing SVG attributes until a patch is applied.

Exploit

Fix

DoS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1333

Related Identifiers

ALT-PU-2023-1338

ALT-PU-2023-4267

ALT-PU-2024-7813

CVE-2022-23514

DLA-3565-1

DLA-3901-1

GHSA-486F-HJJ9-9VHH

OPENSUSE-SU-2024:12768-1

OPENSUSE-SU-2024:14171-1

OPENSUSE-SU-2025:15120-1

OPENSUSE-SU-2026:10353-1

RHSA-2023:2097

RLSA-2023:2097

SUSE-SU-2023:1657-1

SUSE-SU-2023_1657-1

Affected Products

Alt Linux

Astra Linux

Loofah

Rocky Linux

Suse

PT-2022-16044 · Loofah+4 · Loofah+4

CVE-2022-23514

Weakness Enumeration

Related Identifiers

Affected Products

References · 36