CVE-2022-23514

Advisory lineage Upstream: 0 Downstream: 10

Downstream

DEBIAN-CVE-2022-23514 DLA-3565-1 DLA-3901-1 OPENSUSE-SU-2024:12768-1 OPENSUSE-SU-2024:14171-1 OPENSUSE-SU-2025:15120-1

Modified

Published: 14 Dec 2022, 13:19

Last modified:03 Nov 2025, 21:45

Vulnerability Summary

Overall Risk (default)

medium

30/100

CVSS Score

7.5 HIGH

v3.1 (cve.org)

EPSS Score

0.27% LOW

0% probability -0.02%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

14 Dec 2022, 13:19

Published

Vulnerability first disclosed

03 Nov 2025, 21:45

Last Modified

Vulnerability information updated

Description

Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. This issue is patched in version 2.19.1.

CVSS Metrics

v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.27%• Percentile: 51%

Techniques & Countermeasures

CWE-1333•Inefficient Regular Expression Complexity
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

Affected Systems

flavorjones•loofah
< 2.19.1
loofah_project•loofah
< 2.19.1