VulnerableCode Package Details - pkg:gem/loofah@2.1.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-8ut1-66x1-4kfx Aliases: CVE-2022-23514 GHSA-486f-hjj9-9vhh GMS-2022-8289	Inefficient Regular Expression Complexity in Loofah ## Summary Loofah `< 2.19.1` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. ## Mitigation Upgrade to Loofah `>= 2.19.1`.	2.19.1 Affected by 0 other vulnerabilities.
VCID-8x54-m4j9-5kh5 Aliases: CVE-2022-23518 GHSA-mcvf-2q2m-x72m GMS-2022-8300	Improper neutralization of data URIs may allow XSS in rails-html-sanitizer ## Summary rails-html-sanitizer `>= 1.0.3, < 1.4.4` is vulnerable to cross-site scripting via data URIs when used in combination with Loofah `>= 2.1.0`. ## Mitigation Upgrade to rails-html-sanitizer `>= 1.4.4`.	2.1.1 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-9eux-3fc7-13gr Aliases: CVE-2019-15587 GHSA-c3gv-9cxf-6f57	Loofah XSS Vulnerability In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.	2.3.1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-ef83-dy1p-g7fp Aliases: CVE-2022-23515 GHSA-228g-948r-83gx GMS-2022-8287	Improper neutralization of data URIs may allow XSS in Loofah ## Summary Loofah `>= 2.1.0, < 2.19.1` is vulnerable to cross-site scripting via the `image/svg+xml` media type in data URIs. ## Mitigation Upgrade to Loofah `>= 2.19.1`.	2.19.1 Affected by 0 other vulnerabilities.
VCID-embn-3gvw-b7bp Aliases: CVE-2018-16468 GHSA-g4xq-jx4w-4cjv	Loofah XSS Vulnerability In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.	2.2.3 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-nt8x-sgpg-ffh3 Aliases: CVE-2018-8048 GHSA-x7rv-cr6v-4vm4	Revert libxml2 behavior in Nokogiri gem that could cause XSS [MRI] Behavior in libxml2 has been reverted which caused CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is here: https://github.com/GNOME/libxml2/commit/960f0e2 and more information is available about this commit and its impact here: https://github.com/flavorjones/loofah/issues/144 This release simply reverts the libxml2 commit in question to protect users of Nokogiri's vendored libraries from similar vulnerabilities. If you're offended by what happened here, I'd kindly ask that you comment on the upstream bug report here: https://bugzilla.gnome.org/show_bug.cgi?id=769760	2.2.1 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-8ut1-66x1-4kfx
Aliases:
CVE-2022-23514
GHSA-486f-hjj9-9vhh
GMS-2022-8289

Inefficient Regular Expression Complexity in Loofah ## Summary Loofah `< 2.19.1` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. ## Mitigation Upgrade to Loofah `>= 2.19.1`.

2.19.1
Affected by 0 other vulnerabilities.

VCID-8x54-m4j9-5kh5
Aliases:
CVE-2022-23518
GHSA-mcvf-2q2m-x72m
GMS-2022-8300

Improper neutralization of data URIs may allow XSS in rails-html-sanitizer ## Summary rails-html-sanitizer `>= 1.0.3, < 1.4.4` is vulnerable to cross-site scripting via data URIs when used in combination with Loofah `>= 2.1.0`. ## Mitigation Upgrade to rails-html-sanitizer `>= 1.4.4`.

2.1.1
Affected by 5 other vulnerabilities.

VCID-9eux-3fc7-13gr
Aliases:
CVE-2019-15587
GHSA-c3gv-9cxf-6f57

Loofah XSS Vulnerability In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

2.3.1
Affected by 3 other vulnerabilities.

VCID-ef83-dy1p-g7fp
Aliases:
CVE-2022-23515
GHSA-228g-948r-83gx
GMS-2022-8287

Improper neutralization of data URIs may allow XSS in Loofah ## Summary Loofah `>= 2.1.0, < 2.19.1` is vulnerable to cross-site scripting via the `image/svg+xml` media type in data URIs. ## Mitigation Upgrade to Loofah `>= 2.19.1`.

2.19.1
Affected by 0 other vulnerabilities.

VCID-embn-3gvw-b7bp
Aliases:
CVE-2018-16468
GHSA-g4xq-jx4w-4cjv

Loofah XSS Vulnerability In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

2.2.3
Affected by 4 other vulnerabilities.

VCID-nt8x-sgpg-ffh3
Aliases:
CVE-2018-8048
GHSA-x7rv-cr6v-4vm4

Revert libxml2 behavior in Nokogiri gem that could cause XSS [MRI] Behavior in libxml2 has been reverted which caused CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is here: https://github.com/GNOME/libxml2/commit/960f0e2 and more information is available about this commit and its impact here: https://github.com/flavorjones/loofah/issues/144 This release simply reverts the libxml2 commit in question to protect users of Nokogiri's vendored libraries from similar vulnerabilities. If you're offended by what happened here, I'd kindly ask that you comment on the upstream bug report here: https://bugzilla.gnome.org/show_bug.cgi?id=769760

2.2.1
Affected by 5 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-08-02T10:11:14.120049+00:00	GitLab Importer	Affected by	VCID-8ut1-66x1-4kfx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/loofah/CVE-2022-23514.yml	37.0.0
2025-08-02T09:13:28.134287+00:00	GitLab Importer	Affected by	VCID-ef83-dy1p-g7fp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/loofah/CVE-2022-23515.yml	37.0.0
2025-08-01T10:56:18.242580+00:00	GitLab Importer	Affected by	VCID-8x54-m4j9-5kh5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/loofah/CVE-2022-23518.yml	37.0.0
2025-08-01T09:26:13.340192+00:00	GitLab Importer	Affected by	VCID-9eux-3fc7-13gr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/loofah/CVE-2019-15587.yml	37.0.0
2025-08-01T09:16:37.095716+00:00	GitLab Importer	Affected by	VCID-embn-3gvw-b7bp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/loofah/CVE-2018-16468.yml	37.0.0
2025-08-01T09:07:08.970447+00:00	GitLab Importer	Affected by	VCID-nt8x-sgpg-ffh3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/loofah/CVE-2018-8048.yml	37.0.0
2025-08-01T08:01:20.922645+00:00	GHSA Importer	Affected by	VCID-nt8x-sgpg-ffh3	https://github.com/advisories/GHSA-x7rv-cr6v-4vm4	37.0.0
2025-07-31T12:36:25.569959+00:00	GHSA Importer	Affected by	VCID-ef83-dy1p-g7fp	https://github.com/advisories/GHSA-228g-948r-83gx	37.0.0
2025-07-31T08:05:05.179112+00:00	Ruby Importer	Affected by	VCID-ef83-dy1p-g7fp	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2022-23515.yml	37.0.0