VulnerableCode Package Details - pkg:deb/debian/ruby-loofah@2.7.0%2Bdfsg-1%2Bdeb11u1?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-271j-gcn1-73c5	Improper neutralization of data URIs may allow XSS in Loofah ## Summary Loofah `>= 2.1.0, < 2.19.1` is vulnerable to cross-site scripting via the `image/svg+xml` media type in data URIs. ## Mitigation Upgrade to Loofah `>= 2.19.1`. ## Severity The Loofah maintainers have evaluated this as [Medium Severity 6.1](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). ## References - [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html) - [SVG MIME Type (image/svg+xml) is misleading to developers · Issue #266 · w3c/svgwg](https://github.com/w3c/svgwg/issues/266) - https://hackerone.com/reports/1694173 - https://github.com/flavorjones/loofah/issues/101 ## Credit This vulnerability was responsibly reported by Maciej Piechota (@haqpl).	CVE-2022-23515 GHSA-228g-948r-83gx GMS-2022-8287
VCID-6qdt-my8d-rkd5	Uncontrolled Recursion in Loofah ## Summary Loofah `>= 2.2.0, < 2.19.1` uses recursion for sanitizing `CDATA` sections, making it susceptible to stack exhaustion and raising a `SystemStackError` exception. This may lead to a denial of service through CPU resource consumption. ## Mitigation Upgrade to Loofah `>= 2.19.1`. Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized. ## Severity The Loofah maintainers have evaluated this as [High Severity 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). ## References - [CWE - CWE-674: Uncontrolled Recursion (4.9)](https://cwe.mitre.org/data/definitions/674.html)	CVE-2022-23516 GHSA-3x8r-x6xp-q4vm GMS-2022-8288
VCID-q52h-9tcw-zfab	Inefficient Regular Expression Complexity in Loofah ## Summary Loofah `< 2.19.1` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. ## Mitigation Upgrade to Loofah `>= 2.19.1`. ## Severity The Loofah maintainers have evaluated this as [High Severity 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). ## References - [CWE - CWE-1333: Inefficient Regular Expression Complexity (4.9)](https://cwe.mitre.org/data/definitions/1333.html) - https://hackerone.com/reports/1684163 ## Credit This vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q).	CVE-2022-23514 GHSA-486f-hjj9-9vhh GMS-2022-8289

Vulnerability

Summary

Aliases

VCID-271j-gcn1-73c5

Improper neutralization of data URIs may allow XSS in Loofah ## Summary Loofah `>= 2.1.0, < 2.19.1` is vulnerable to cross-site scripting via the `image/svg+xml` media type in data URIs. ## Mitigation Upgrade to Loofah `>= 2.19.1`. ## Severity The Loofah maintainers have evaluated this as [Medium Severity 6.1](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). ## References - [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html) - [SVG MIME Type (image/svg+xml) is misleading to developers · Issue #266 · w3c/svgwg](https://github.com/w3c/svgwg/issues/266) - https://hackerone.com/reports/1694173 - https://github.com/flavorjones/loofah/issues/101 ## Credit This vulnerability was responsibly reported by Maciej Piechota (@haqpl).

CVE-2022-23515
GHSA-228g-948r-83gx
GMS-2022-8287

VCID-6qdt-my8d-rkd5

Uncontrolled Recursion in Loofah ## Summary Loofah `>= 2.2.0, < 2.19.1` uses recursion for sanitizing `CDATA` sections, making it susceptible to stack exhaustion and raising a `SystemStackError` exception. This may lead to a denial of service through CPU resource consumption. ## Mitigation Upgrade to Loofah `>= 2.19.1`. Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized. ## Severity The Loofah maintainers have evaluated this as [High Severity 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). ## References - [CWE - CWE-674: Uncontrolled Recursion (4.9)](https://cwe.mitre.org/data/definitions/674.html)

CVE-2022-23516
GHSA-3x8r-x6xp-q4vm
GMS-2022-8288

VCID-q52h-9tcw-zfab

Inefficient Regular Expression Complexity in Loofah ## Summary Loofah `< 2.19.1` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. ## Mitigation Upgrade to Loofah `>= 2.19.1`. ## Severity The Loofah maintainers have evaluated this as [High Severity 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). ## References - [CWE - CWE-1333: Inefficient Regular Expression Complexity (4.9)](https://cwe.mitre.org/data/definitions/1333.html) - https://hackerone.com/reports/1684163 ## Credit This vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q).

CVE-2022-23514
GHSA-486f-hjj9-9vhh
GMS-2022-8289

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T11:34:06.110343+00:00	Debian Importer	Fixing	VCID-q52h-9tcw-zfab	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T11:29:34.876701+00:00	Debian Importer	Fixing	VCID-6qdt-my8d-rkd5	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:12:54.469725+00:00	Debian Importer	Fixing	VCID-271j-gcn1-73c5	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T07:53:09.831399+00:00	Debian Importer	Fixing	VCID-q52h-9tcw-zfab	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:49:57.320400+00:00	Debian Importer	Fixing	VCID-6qdt-my8d-rkd5	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:52:04.162282+00:00	Debian Importer	Fixing	VCID-271j-gcn1-73c5	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:52:17.271267+00:00	Debian Importer	Fixing	VCID-6qdt-my8d-rkd5	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:52:17.221541+00:00	Debian Importer	Fixing	VCID-271j-gcn1-73c5	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:52:17.170799+00:00	Debian Importer	Fixing	VCID-q52h-9tcw-zfab	https://security-tracker.debian.org/tracker/data/json	38.1.0