CVE-2022-23516

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Loofah versions 2.2.0 through 2.19.0

Description Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. It uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a denial of service through CPU resource consumption.

Recommendations For Loofah versions 2.2.0 through 2.19.0, upgrade to version 2.19.1 to resolve the issue. As a temporary workaround for users who are unable to upgrade, consider limiting the length of the strings that are sanitized to mitigate the vulnerability.

Exploit

Fix

DoS

Uncontrolled Recursion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-674

Related Identifiers

ALT-PU-2023-1338

ALT-PU-2023-4267

ALT-PU-2024-7813

CVE-2022-23516

DLA-3565-1

DLA-3901-1

GHSA-3X8R-X6XP-Q4VM

OPENSUSE-SU-2024:12768-1

OPENSUSE-SU-2024:14171-1

OPENSUSE-SU-2025:15120-1

OPENSUSE-SU-2026:10353-1

RHSA-2023:2097

RLSA-2023:2097

SUSE-SU-2023:1657-1

Affected Products

Alt Linux

Astra Linux

Loofah

Nokogiri

Rocky Linux

Suse

CVE-2022-23516

Weakness Enumeration

Related Identifiers

Affected Products

References · 35