vulnerability

Debian: CVE-2022-23516: ruby-loofah -- security update

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
8	(AV:N/AC:L/Au:N/C:N/I:N/A:C)	Dec 14, 2022	Sep 15, 2023	Aug 15, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:N/I:N/A:C)

Published

Dec 14, 2022

Added

Sep 15, 2023

Modified

Aug 15, 2025

Description

Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah >= 2.2.0, < 2.19.1 uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a denial of service through CPU resource consumption. This issue is patched in version 2.19.1. Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.

Solution

debian-upgrade-ruby-loofah

References

CVE-2022-23516
https://attackerkb.com/topics/CVE-2022-23516
CWE-674
DEBIAN-DLA-3565-1

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today