{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2022-23514", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", "dateReserved": "2022-01-19T21:23:53.777Z", "datePublished": "2022-12-14T13:19:25.943Z", "dateUpdated": "2025-11-03T21:45:53.018Z"}, "containers": {"cna": {"title": "Inefficient Regular Expression Complexity in Loofah", "problemTypes": [{"descriptions": [{"cweId": "CWE-1333", "lang": "en", "description": "CWE-1333: Inefficient Regular Expression Complexity", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh"}, {"name": "https://hackerone.com/reports/1684163", "tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/1684163"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html"}], "affected": [{"vendor": "flavorjones", "product": "loofah", "versions": [{"version": "< 2.19.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-09-13T16:06:21.710Z"}, "descriptions": [{"lang": "en", "value": "Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. This issue is patched in version 2.19.1."}], "source": {"advisory": "GHSA-486f-hjj9-9vhh", "discovery": "UNKNOWN"}}, "adp": [{"title": "CVE Program Container", "references": [{"name": "https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh"}, {"name": "https://hackerone.com/reports/1684163", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackerone.com/reports/1684163"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00044.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T21:45:53.018Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-21T14:49:18.392624Z", "id": "CVE-2022-23514", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-21T14:50:27.172Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh", "name": "https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://hackerone.com/reports/1684163", "name": "https://hackerone.com/reports/1684163", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00044.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T21:45:53.018Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-23514", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-21T14:49:18.392624Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-21T14:49:24.520Z"}}], "cna": {"title": "Inefficient Regular Expression Complexity in Loofah", "source": {"advisory": "GHSA-486f-hjj9-9vhh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "flavorjones", "product": "loofah", "versions": [{"status": "affected", "version": "< 2.19.1"}]}], "references": [{"url": "https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh", "name": "https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://hackerone.com/reports/1684163", "name": "https://hackerone.com/reports/1684163", "tags": ["x_refsource_MISC"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html"}], "descriptions": [{"lang": "en", "value": "Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. This issue is patched in version 2.19.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1333", "description": "CWE-1333: Inefficient Regular Expression Complexity"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-09-13T16:06:21.710Z"}}}, "cveMetadata": {"cveId": "CVE-2022-23514", "state": "PUBLISHED", "dateUpdated": "2025-11-03T21:45:53.018Z", "dateReserved": "2022-01-19T21:23:53.777Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2022-12-14T13:19:25.943Z", "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:loofah_project:loofah:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "F02BB26C-B491-429A-947C-D0582D90D5B2", "versionEndExcluding": "2.19.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. This issue is patched in version 2.19.1."}, {"lang": "es", "value": "Loofah es una librer\u00eda general para manipular y transformar documentos y fragmentos HTML / XML, construida sobre Nokogiri. Loofah &lt; 2.19.1 contiene una expresi\u00f3n regular ineficiente que es susceptible a un retroceso excesivo al intentar sanitizar ciertos atributos SVG. Esto puede provocar una denegaci\u00f3n de servicio a trav\u00e9s del consumo de recursos de CPU. Este problema est\u00e1 parcheado en la versi\u00f3n 2.19.1."}], "id": "CVE-2022-23514", "lastModified": "2025-11-03T22:15:55.973", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-14T14:15:10.477", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh"}, {"source": "security-advisories@github.com", "tags": ["Permissions Required", "Third Party Advisory"], "url": "https://hackerone.com/reports/1684163"}, {"source": "security-advisories@github.com", "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required", "Third Party Advisory"], "url": "https://hackerone.com/reports/1684163"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00044.html"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1333"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:2097", "cpe": "cpe:/a:redhat:satellite:6.13::el8", "package": "rubygem-loofah-0:2.19.1-1.el8sat", "product_name": "Red Hat Satellite 6.13 for RHEL 8", "release_date": "2023-05-03T00:00:00Z"}], "bugzilla": {"description": "rubygem-loofah: inefficient regular expression leading to denial of service", "id": "2153234", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153234"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-1333", "details": ["Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. This issue is patched in version 2.19.1.", "An inefficient regular expression vulnerability was found in rubygem loofah. While sanitizing certain SVG attributes, loofah is susceptible to excessive backtracking, which can result in a denial of service through CPU resource consumption."], "name": "CVE-2022-23514", "package_state": [{"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Will not fix", "package_name": "3scale-amp-zync-container", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Out of support scope", "package_name": "tfm-ror51-rubygem-loofah", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Out of support scope", "package_name": "tfm-ror52-rubygem-loofah", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "tfm-rubygem-loofah", "product_name": "Red Hat Satellite 6"}], "public_date": "2022-12-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-23514\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-23514\nhttps://github.com/rubysec/ruby-advisory-db/tree/master/gems/loofah/CVE-2022-23514.yml"], "threat_severity": "Moderate"}