VulnerableCode Package Details - pkg:deb/debian/ruby-loofah@2.7.0%2Bdfsg-1

Search for packages

Vulnerability	Summary	Fixed by
VCID-19uf-4mfq-87dv Aliases: CVE-2022-23516 GHSA-3x8r-x6xp-q4vm GMS-2022-8288	Uncontrolled Recursion in Loofah ## Summary Loofah `>= 2.2.0, < 2.19.1` uses recursion for sanitizing `CDATA` sections, making it susceptible to stack exhaustion and raising a `SystemStackError` exception. This may lead to a denial of service through CPU resource consumption. ## Mitigation Upgrade to Loofah `>= 2.19.1`. Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.	2.19.1-1 Affected by 0 other vulnerabilities.
VCID-8ut1-66x1-4kfx Aliases: CVE-2022-23514 GHSA-486f-hjj9-9vhh GMS-2022-8289	Inefficient Regular Expression Complexity in Loofah ## Summary Loofah `< 2.19.1` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. ## Mitigation Upgrade to Loofah `>= 2.19.1`.	2.19.1-1 Affected by 0 other vulnerabilities.
VCID-ef83-dy1p-g7fp Aliases: CVE-2022-23515 GHSA-228g-948r-83gx GMS-2022-8287	Improper neutralization of data URIs may allow XSS in Loofah ## Summary Loofah `>= 2.1.0, < 2.19.1` is vulnerable to cross-site scripting via the `image/svg+xml` media type in data URIs. ## Mitigation Upgrade to Loofah `>= 2.19.1`.	2.19.1-1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-19uf-4mfq-87dv
Aliases:
CVE-2022-23516
GHSA-3x8r-x6xp-q4vm
GMS-2022-8288

Uncontrolled Recursion in Loofah ## Summary Loofah `>= 2.2.0, < 2.19.1` uses recursion for sanitizing `CDATA` sections, making it susceptible to stack exhaustion and raising a `SystemStackError` exception. This may lead to a denial of service through CPU resource consumption. ## Mitigation Upgrade to Loofah `>= 2.19.1`. Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.

2.19.1-1
Affected by 0 other vulnerabilities.

VCID-8ut1-66x1-4kfx
Aliases:
CVE-2022-23514
GHSA-486f-hjj9-9vhh
GMS-2022-8289

Inefficient Regular Expression Complexity in Loofah ## Summary Loofah `< 2.19.1` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. ## Mitigation Upgrade to Loofah `>= 2.19.1`.

2.19.1-1
Affected by 0 other vulnerabilities.

VCID-ef83-dy1p-g7fp
Aliases:
CVE-2022-23515
GHSA-228g-948r-83gx
GMS-2022-8287

Improper neutralization of data URIs may allow XSS in Loofah ## Summary Loofah `>= 2.1.0, < 2.19.1` is vulnerable to cross-site scripting via the `image/svg+xml` media type in data URIs. ## Mitigation Upgrade to Loofah `>= 2.19.1`.

2.19.1-1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-9eux-3fc7-13gr	Loofah XSS Vulnerability In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.	CVE-2019-15587 GHSA-c3gv-9cxf-6f57

Vulnerability

Summary

Aliases

VCID-9eux-3fc7-13gr

Loofah XSS Vulnerability In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

CVE-2019-15587
GHSA-c3gv-9cxf-6f57

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-08-01T20:17:30.523074+00:00	Debian Oval Importer	Affected by	VCID-8ut1-66x1-4kfx	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T19:28:44.984200+00:00	Debian Oval Importer	Fixing	VCID-9eux-3fc7-13gr	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T15:31:48.025889+00:00	Debian Oval Importer	Affected by	VCID-19uf-4mfq-87dv	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T14:34:10.917654+00:00	Debian Oval Importer	Affected by	VCID-ef83-dy1p-g7fp	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0