VulnerableCode Package Details - pkg:gem/loofah@2.10.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-19uf-4mfq-87dv Aliases: CVE-2022-23516 GHSA-3x8r-x6xp-q4vm GMS-2022-8288	Uncontrolled Recursion in Loofah ## Summary Loofah `>= 2.2.0, < 2.19.1` uses recursion for sanitizing `CDATA` sections, making it susceptible to stack exhaustion and raising a `SystemStackError` exception. This may lead to a denial of service through CPU resource consumption. ## Mitigation Upgrade to Loofah `>= 2.19.1`. Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.	2.19.1 Affected by 0 other vulnerabilities.
VCID-8ut1-66x1-4kfx Aliases: CVE-2022-23514 GHSA-486f-hjj9-9vhh GMS-2022-8289	Inefficient Regular Expression Complexity in Loofah ## Summary Loofah `< 2.19.1` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. ## Mitigation Upgrade to Loofah `>= 2.19.1`.	2.19.1 Affected by 0 other vulnerabilities.
VCID-ef83-dy1p-g7fp Aliases: CVE-2022-23515 GHSA-228g-948r-83gx GMS-2022-8287	Improper neutralization of data URIs may allow XSS in Loofah ## Summary Loofah `>= 2.1.0, < 2.19.1` is vulnerable to cross-site scripting via the `image/svg+xml` media type in data URIs. ## Mitigation Upgrade to Loofah `>= 2.19.1`.	2.19.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-19uf-4mfq-87dv
Aliases:
CVE-2022-23516
GHSA-3x8r-x6xp-q4vm
GMS-2022-8288

Uncontrolled Recursion in Loofah ## Summary Loofah `>= 2.2.0, < 2.19.1` uses recursion for sanitizing `CDATA` sections, making it susceptible to stack exhaustion and raising a `SystemStackError` exception. This may lead to a denial of service through CPU resource consumption. ## Mitigation Upgrade to Loofah `>= 2.19.1`. Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.

2.19.1
Affected by 0 other vulnerabilities.

VCID-8ut1-66x1-4kfx
Aliases:
CVE-2022-23514
GHSA-486f-hjj9-9vhh
GMS-2022-8289

Inefficient Regular Expression Complexity in Loofah ## Summary Loofah `< 2.19.1` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. ## Mitigation Upgrade to Loofah `>= 2.19.1`.

2.19.1
Affected by 0 other vulnerabilities.

VCID-ef83-dy1p-g7fp
Aliases:
CVE-2022-23515
GHSA-228g-948r-83gx
GMS-2022-8287

Improper neutralization of data URIs may allow XSS in Loofah ## Summary Loofah `>= 2.1.0, < 2.19.1` is vulnerable to cross-site scripting via the `image/svg+xml` media type in data URIs. ## Mitigation Upgrade to Loofah `>= 2.19.1`.

2.19.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-08-02T10:11:14.191947+00:00	GitLab Importer	Affected by	VCID-8ut1-66x1-4kfx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/loofah/CVE-2022-23514.yml	37.0.0
2025-08-02T10:11:07.263550+00:00	GitLab Importer	Affected by	VCID-19uf-4mfq-87dv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/loofah/CVE-2022-23516.yml	37.0.0
2025-08-02T10:11:05.217493+00:00	GitLab Importer	Affected by	VCID-ef83-dy1p-g7fp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/loofah/CVE-2022-23515.yml	37.0.0