CVE-2022-23516

Advisory lineage Upstream: 0 Downstream: 10

Downstream

DEBIAN-CVE-2022-23516 DLA-3565-1 DLA-3901-1 OPENSUSE-SU-2024:12768-1 OPENSUSE-SU-2024:14171-1 OPENSUSE-SU-2025:15120-1

Modified

Published: 14 Dec 2022, 13:26

Last modified:03 Nov 2025, 21:45

Vulnerability Summary

Overall Risk (default)

medium

30/100

CVSS Score

7.5 HIGH

v3.1 (cve.org)

EPSS Score

0.05% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

14 Dec 2022, 13:26

Published

Vulnerability first disclosed

03 Nov 2025, 21:45

Last Modified

Vulnerability information updated

Description

Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah >= 2.2.0, < 2.19.1 uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a denial of service through CPU resource consumption. This issue is patched in version 2.19.1. Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.

CVSS Metrics

v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.05%• Percentile: 15%

Techniques & Countermeasures

CWE-674•Uncontrolled Recursion
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Affected Systems

flavorjones•loofah
≥ 2.2.0, < 2.19.1
loofah_project•loofah
≥ 2.2.0, < 2.19.1