Search for vulnerabilities
Vulnerability details: VCID-8ut1-66x1-4kfx
Vulnerability ID VCID-8ut1-66x1-4kfx
Aliases CVE-2022-23514
GHSA-486f-hjj9-9vhh
GMS-2022-8289
Summary Inefficient Regular Expression Complexity in Loofah ## Summary Loofah `< 2.19.1` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. ## Mitigation Upgrade to Loofah `>= 2.19.1`.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1333 Inefficient Regular Expression Complexity
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23514.json
epss 0.00223 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00223 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00223 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00273 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00273 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00273 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00273 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00273 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00273 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00273 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00273 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00273 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00273 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00273 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00273 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00273 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00273 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00274 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
epss 0.00274 https://api.first.org/data/v1/epss?cve=CVE-2022-23514
cvssv3.1 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-486f-hjj9-9vhh
cvssv3.1 7.5 https://github.com/flavorjones/loofah
generic_textual HIGH https://github.com/flavorjones/loofah
cvssv3.1 7.5 https://github.com/flavorjones/loofah/commit/a6e0a1ab90675a17b1b2be189129d94139e4b143
generic_textual HIGH https://github.com/flavorjones/loofah/commit/a6e0a1ab90675a17b1b2be189129d94139e4b143
cvssv3 7.5 https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh
cvssv3.1 7.5 https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh
cvssv3.1_qr HIGH https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh
generic_textual HIGH https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh
ssvc Track https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh
cvssv3.1 7.5 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2022-23514.yml
generic_textual HIGH https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2022-23514.yml
cvssv3.1 7.5 https://hackerone.com/reports/1684163
generic_textual HIGH https://hackerone.com/reports/1684163
ssvc Track https://hackerone.com/reports/1684163
cvssv3.1 7.5 https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html
generic_textual HIGH https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html
ssvc Track https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2022-23514
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2022-23514
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23514.json
https://api.first.org/data/v1/epss?cve=CVE-2022-23514
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23514
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/flavorjones/loofah
https://github.com/flavorjones/loofah/commit/a6e0a1ab90675a17b1b2be189129d94139e4b143
https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2022-23514.yml
https://hackerone.com/reports/1684163
https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html
https://nvd.nist.gov/vuln/detail/CVE-2022-23514
1026083 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026083
2153234 https://bugzilla.redhat.com/show_bug.cgi?id=2153234
cpe:2.3:a:loofah_project:loofah:*:*:*:*:*:ruby:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:loofah_project:loofah:*:*:*:*:*:ruby:*:*
GHSA-486f-hjj9-9vhh https://github.com/advisories/GHSA-486f-hjj9-9vhh
RHSA-2023:2097 https://access.redhat.com/errata/RHSA-2023:2097
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23514.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/flavorjones/loofah
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/flavorjones/loofah/commit/a6e0a1ab90675a17b1b2be189129d94139e4b143
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-21T14:49:18Z/ Found at https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2022-23514.yml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://hackerone.com/reports/1684163
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-21T14:49:18Z/ Found at https://hackerone.com/reports/1684163
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-21T14:49:18Z/ Found at https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-23514
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.45142
EPSS Score 0.00223
Published At Aug. 1, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:05:05.060174+00:00 Ruby Importer Import https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2022-23514.yml 37.0.0