VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-8ut1-66x1-4kfx

Essentials
Severities (51)
References (16)
Severity details (21)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-8ut1-66x1-4kfx
Aliases	CVE-2022-23514 GHSA-486f-hjj9-9vhh GMS-2022-8289
Summary	Inefficient Regular Expression Complexity in Loofah ## Summary Loofah `< 2.19.1` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. ## Mitigation Upgrade to Loofah `>= 2.19.1`.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-1333	Inefficient Regular Expression Complexity
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23514.json
epss	0.00223	https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss	0.00223	https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss	0.00223	https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss	0.00273	https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss	0.00273	https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss	0.00273	https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss	0.00273	https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss	0.00273	https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss	0.00273	https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss	0.00273	https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss	0.00273	https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss	0.00273	https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss	0.00273	https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss	0.00273	https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss	0.00273	https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss	0.00273	https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss	0.00273	https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss	0.00273	https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss	0.00273	https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss	0.00273	https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss	0.00273	https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss	0.00273	https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss	0.00273	https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss	0.00273	https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss	0.00273	https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss	0.00273	https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss	0.00273	https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss	0.00274	https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss	0.00274	https://api.first.org/data/v1/epss?cve=CVE-2022-23514
cvssv3.1	7.5	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-486f-hjj9-9vhh
cvssv3.1	7.5	https://github.com/flavorjones/loofah
generic_textual	HIGH	https://github.com/flavorjones/loofah
cvssv3.1	7.5	https://github.com/flavorjones/loofah/commit/a6e0a1ab90675a17b1b2be189129d94139e4b143
generic_textual	HIGH	https://github.com/flavorjones/loofah/commit/a6e0a1ab90675a17b1b2be189129d94139e4b143
cvssv3	7.5	https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh
cvssv3.1	7.5	https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh
cvssv3.1_qr	HIGH	https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh
generic_textual	HIGH	https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh
ssvc	Track	https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh
cvssv3.1	7.5	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2022-23514.yml
generic_textual	HIGH	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2022-23514.yml
cvssv3.1	7.5	https://hackerone.com/reports/1684163
generic_textual	HIGH	https://hackerone.com/reports/1684163
ssvc	Track	https://hackerone.com/reports/1684163
cvssv3.1	7.5	https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html
generic_textual	HIGH	https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html
ssvc	Track	https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2022-23514
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2022-23514

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23514.json
		https://api.first.org/data/v1/epss?cve=CVE-2022-23514
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23514
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/flavorjones/loofah
		https://github.com/flavorjones/loofah/commit/a6e0a1ab90675a17b1b2be189129d94139e4b143
		https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh
		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2022-23514.yml
		https://hackerone.com/reports/1684163
		https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html
		https://nvd.nist.gov/vuln/detail/CVE-2022-23514
1026083		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026083
2153234		https://bugzilla.redhat.com/show_bug.cgi?id=2153234
cpe:2.3:a:loofah_project:loofah::::::ruby::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:loofah_project:loofah::::::ruby::*
GHSA-486f-hjj9-9vhh		https://github.com/advisories/GHSA-486f-hjj9-9vhh
RHSA-2023:2097		https://access.redhat.com/errata/RHSA-2023:2097

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23514.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/flavorjones/loofah

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/flavorjones/loofah/commit/a6e0a1ab90675a17b1b2be189129d94139e4b143

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-21T14:49:18Z/ Found at https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2022-23514.yml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://hackerone.com/reports/1684163

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-21T14:49:18Z/ Found at https://hackerone.com/reports/1684163

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-21T14:49:18Z/ Found at https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-23514

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.45142
EPSS Score	0.00223
Published At	Aug. 1, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-31T08:05:05.060174+00:00	Ruby Importer	Import	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2022-23514.yml	37.0.0