VulnerableCode Package Details - pkg:gem/loofah@2.2.3

Search for packages

Vulnerability	Summary	Fixed by
VCID-19uf-4mfq-87dv Aliases: CVE-2022-23516 GHSA-3x8r-x6xp-q4vm GMS-2022-8288	Uncontrolled Recursion in Loofah ## Summary Loofah `>= 2.2.0, < 2.19.1` uses recursion for sanitizing `CDATA` sections, making it susceptible to stack exhaustion and raising a `SystemStackError` exception. This may lead to a denial of service through CPU resource consumption. ## Mitigation Upgrade to Loofah `>= 2.19.1`. Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.	2.19.1 Affected by 0 other vulnerabilities.
VCID-8ut1-66x1-4kfx Aliases: CVE-2022-23514 GHSA-486f-hjj9-9vhh GMS-2022-8289	Inefficient Regular Expression Complexity in Loofah ## Summary Loofah `< 2.19.1` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. ## Mitigation Upgrade to Loofah `>= 2.19.1`.	2.19.1 Affected by 0 other vulnerabilities.
VCID-9eux-3fc7-13gr Aliases: CVE-2019-15587 GHSA-c3gv-9cxf-6f57	Loofah XSS Vulnerability In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.	2.3.1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-ef83-dy1p-g7fp Aliases: CVE-2022-23515 GHSA-228g-948r-83gx GMS-2022-8287	Improper neutralization of data URIs may allow XSS in Loofah ## Summary Loofah `>= 2.1.0, < 2.19.1` is vulnerable to cross-site scripting via the `image/svg+xml` media type in data URIs. ## Mitigation Upgrade to Loofah `>= 2.19.1`.	2.19.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-19uf-4mfq-87dv
Aliases:
CVE-2022-23516
GHSA-3x8r-x6xp-q4vm
GMS-2022-8288

Uncontrolled Recursion in Loofah ## Summary Loofah `>= 2.2.0, < 2.19.1` uses recursion for sanitizing `CDATA` sections, making it susceptible to stack exhaustion and raising a `SystemStackError` exception. This may lead to a denial of service through CPU resource consumption. ## Mitigation Upgrade to Loofah `>= 2.19.1`. Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.

2.19.1
Affected by 0 other vulnerabilities.

VCID-8ut1-66x1-4kfx
Aliases:
CVE-2022-23514
GHSA-486f-hjj9-9vhh
GMS-2022-8289

Inefficient Regular Expression Complexity in Loofah ## Summary Loofah `< 2.19.1` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. ## Mitigation Upgrade to Loofah `>= 2.19.1`.

2.19.1
Affected by 0 other vulnerabilities.

VCID-9eux-3fc7-13gr
Aliases:
CVE-2019-15587
GHSA-c3gv-9cxf-6f57

Loofah XSS Vulnerability In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

2.3.1
Affected by 3 other vulnerabilities.

VCID-ef83-dy1p-g7fp
Aliases:
CVE-2022-23515
GHSA-228g-948r-83gx
GMS-2022-8287

Improper neutralization of data URIs may allow XSS in Loofah ## Summary Loofah `>= 2.1.0, < 2.19.1` is vulnerable to cross-site scripting via the `image/svg+xml` media type in data URIs. ## Mitigation Upgrade to Loofah `>= 2.19.1`.

2.19.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-embn-3gvw-b7bp	Loofah XSS Vulnerability In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.	CVE-2018-16468 GHSA-g4xq-jx4w-4cjv

Vulnerability

Summary

Aliases

VCID-embn-3gvw-b7bp

Loofah XSS Vulnerability In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

CVE-2018-16468
GHSA-g4xq-jx4w-4cjv

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-08-02T10:11:14.144344+00:00	GitLab Importer	Affected by	VCID-8ut1-66x1-4kfx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/loofah/CVE-2022-23514.yml	37.0.0
2025-08-02T10:11:07.216173+00:00	GitLab Importer	Affected by	VCID-19uf-4mfq-87dv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/loofah/CVE-2022-23516.yml	37.0.0
2025-08-02T10:11:05.158290+00:00	GitLab Importer	Affected by	VCID-ef83-dy1p-g7fp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/loofah/CVE-2022-23515.yml	37.0.0
2025-08-01T09:26:13.363239+00:00	GitLab Importer	Affected by	VCID-9eux-3fc7-13gr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/loofah/CVE-2019-15587.yml	37.0.0
2025-07-31T12:27:58.425396+00:00	GHSA Importer	Fixing	VCID-embn-3gvw-b7bp	https://github.com/advisories/GHSA-g4xq-jx4w-4cjv	37.0.0
2025-07-31T09:23:31.537981+00:00	GitLab Importer	Fixing	VCID-embn-3gvw-b7bp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/loofah/CVE-2018-16468.yml	37.0.0
2025-07-31T08:56:27.408875+00:00	GithubOSV Importer	Fixing	VCID-embn-3gvw-b7bp	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/11/GHSA-g4xq-jx4w-4cjv/GHSA-g4xq-jx4w-4cjv.json	37.0.0