Search for vulnerabilities
Vulnerability details: VCID-19uf-4mfq-87dv
Vulnerability ID VCID-19uf-4mfq-87dv
Aliases CVE-2022-23516
GHSA-3x8r-x6xp-q4vm
GMS-2022-8288
Summary Uncontrolled Recursion in Loofah ## Summary Loofah `>= 2.2.0, < 2.19.1` uses recursion for sanitizing `CDATA` sections, making it susceptible to stack exhaustion and raising a `SystemStackError` exception. This may lead to a denial of service through CPU resource consumption. ## Mitigation Upgrade to Loofah `>= 2.19.1`. Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-674 Uncontrolled Recursion
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23516.json
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-23516
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-23516
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-23516
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-23516
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-23516
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-23516
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-23516
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-23516
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-23516
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-23516
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-23516
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-23516
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-23516
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-23516
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-23516
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-23516
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-23516
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-23516
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-23516
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-23516
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-23516
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-23516
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-23516
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-23516
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-23516
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2022-23516
epss 0.00031 https://api.first.org/data/v1/epss?cve=CVE-2022-23516
epss 0.00031 https://api.first.org/data/v1/epss?cve=CVE-2022-23516
cvssv3.1 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-3x8r-x6xp-q4vm
cvssv3.1 7.5 https://github.com/flavorjones/loofah
generic_textual HIGH https://github.com/flavorjones/loofah
cvssv3.1 7.5 https://github.com/flavorjones/loofah/commit/86f7f6364491b0099d215db858ecdc0c89ded040
generic_textual HIGH https://github.com/flavorjones/loofah/commit/86f7f6364491b0099d215db858ecdc0c89ded040
cvssv3 7.5 https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm
cvssv3.1 7.5 https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm
cvssv3.1_qr HIGH https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm
generic_textual HIGH https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm
ssvc Track https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm
cvssv3.1 7.5 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2022-23516.yml
generic_textual HIGH https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2022-23516.yml
cvssv3.1 7.5 https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html
generic_textual HIGH https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html
ssvc Track https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2022-23516
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2022-23516
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23516.json
https://api.first.org/data/v1/epss?cve=CVE-2022-23516
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23516
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/flavorjones/loofah
https://github.com/flavorjones/loofah/commit/86f7f6364491b0099d215db858ecdc0c89ded040
https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2022-23516.yml
https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html
https://nvd.nist.gov/vuln/detail/CVE-2022-23516
1026083 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026083
2153241 https://bugzilla.redhat.com/show_bug.cgi?id=2153241
cpe:2.3:a:loofah_project:loofah:*:*:*:*:*:ruby:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:loofah_project:loofah:*:*:*:*:*:ruby:*:*
GHSA-3x8r-x6xp-q4vm https://github.com/advisories/GHSA-3x8r-x6xp-q4vm
RHSA-2023:2097 https://access.redhat.com/errata/RHSA-2023:2097
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23516.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/flavorjones/loofah
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/flavorjones/loofah/commit/86f7f6364491b0099d215db858ecdc0c89ded040
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-18T18:19:29Z/ Found at https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2022-23516.yml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-18T18:19:29Z/ Found at https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-23516
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.06656
EPSS Score 0.0003
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:05:05.099817+00:00 Ruby Importer Import https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2022-23516.yml 37.0.0