Ruby/loofah/2.2.0

Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri.

Loofah also includes some HTML sanitizers based on html5lib's safelist, which are a specific application of the general transformation functionality.

https://rubygems.org/gems/loofah
MIT

12 Security Vulnerabilities

Improper neutralization of data URIs may allow XSS in Loofah

Published date: 2022-12-13T17:39:36Z
CVE: CVE-2022-23515
Links:

Summary

Loofah >= 2.1.0, < 2.19.1 is vulnerable to cross-site scripting via the image/svg+xml media type in data URIs.

Mitigation

Upgrade to Loofah >= 2.19.1.

Severity

The Loofah maintainers have evaluated this as Medium Severity 6.1.

References

Credit

This vulnerability was responsibly reported by Maciej Piechota (@haqpl).

Affected versions: ["2.7.0", "2.6.0", "2.5.0", "2.4.0", "2.3.1", "2.3.0", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.1", "2.1.0", "2.8.0", "2.9.0", "2.9.1", "2.10.0", "2.11.0", "2.12.0", "2.13.0", "2.14.0", "2.15.0", "2.16.0", "2.17.0", "2.18.0", "2.19.0"]
Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0, 2.23.0, 2.23.1, 2.24.0]
Recommendation: Update to version 2.24.0.

Uncontrolled Recursion in Loofah

Published date: 2022-12-13T17:40:50Z
CVE: CVE-2022-23516
Links:

Summary

Loofah >= 2.2.0, < 2.19.1 uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a denial of service through CPU resource consumption.

Mitigation

Upgrade to Loofah >= 2.19.1.

Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.

Severity

The Loofah maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

Affected versions: ["2.7.0", "2.6.0", "2.5.0", "2.4.0", "2.3.1", "2.3.0", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.8.0", "2.9.0", "2.9.1", "2.10.0", "2.11.0", "2.12.0", "2.13.0", "2.14.0", "2.15.0", "2.16.0", "2.17.0", "2.18.0", "2.19.0"]
Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0, 2.23.0, 2.23.1, 2.24.0]
Recommendation: Update to version 2.24.0.

Inefficient Regular Expression Complexity in Loofah

Published date: 2022-12-13T17:36:28Z
CVE: CVE-2022-23514
Links:

Summary

Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.

Mitigation

Upgrade to Loofah >= 2.19.1.

Severity

The Loofah maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

Credit

This vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q).

Affected versions: ["2.7.0", "2.6.0", "2.5.0", "2.4.0", "2.3.1", "2.3.0", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.1", "2.1.0", "2.1.0.rc2", "2.1.0.rc1", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "1.2.1", "1.2.0", "1.1.0", "1.0.0", "1.0.0.beta.1", "0.4.7", "0.4.6", "0.4.5", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4.0", "0.3.1", "0.3.0", "0.2.2", "0.2.1", "0.2.0", "2.8.0", "2.9.0", "2.9.1", "2.10.0", "2.11.0", "2.12.0", "2.13.0", "2.14.0", "2.15.0", "2.16.0", "2.17.0", "2.18.0", "2.19.0"]
Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0, 2.23.0, 2.23.1, 2.24.0]
Recommendation: Update to version 2.24.0.

Loofah Allows Cross-site Scripting

Published date: 2019-11-05T23:58:25Z
CVE: CVE-2019-15587
Links:

In the Loofah gem for Ruby through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Affected versions: ["2.3.0", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.1", "2.1.0", "2.1.0.rc2", "2.1.0.rc1", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "1.2.1", "1.2.0", "1.1.0", "1.0.0", "1.0.0.beta.1", "0.4.7", "0.4.6", "0.4.5", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4.0", "0.3.1", "0.3.0", "0.2.2", "0.2.1", "0.2.0"]
Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0, 2.23.0, 2.23.1, 2.24.0]
Recommendation: Update to version 2.24.0.

Loofah Cross-site Scripting vulnerability

Published date: 2018-11-01T14:46:01Z
CVE: CVE-2018-16468
Links:

In the Loofah gem for Ruby, through version 2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. Users are advised to upgrade to version 2.2.3.

See https://github.com/flavorjones/loofah/issues/154 for more details.

Affected versions: ["2.2.2", "2.2.1", "2.2.0", "2.1.1", "2.1.0", "2.1.0.rc2", "2.1.0.rc1", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "1.2.1", "1.2.0", "1.1.0", "1.0.0", "1.0.0.beta.1", "0.4.7", "0.4.6", "0.4.5", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4.0", "0.3.1", "0.3.0", "0.2.2", "0.2.1", "0.2.0"]
Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0, 2.23.0, 2.23.1, 2.24.0]
Recommendation: Update to version 2.24.0.

Cross-site Scripting in loofah

Published date: 2018-03-21T11:57:11Z
CVE: CVE-2018-8048
Links:

Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.

Users are affected if running Loofah < 2.2.1, but only:

  • when running on MRI or RBX,
  • in combination with libxml2 >= 2.9.2.

JRuby users are not affected.

Affected versions: ["2.2.0", "2.1.1", "2.1.0", "2.1.0.rc2", "2.1.0.rc1", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "1.2.1", "1.2.0", "1.1.0", "1.0.0", "1.0.0.beta.1", "0.4.7", "0.4.6", "0.4.5", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4.0", "0.3.1", "0.3.0", "0.2.2", "0.2.1", "0.2.0"]
Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0, 2.23.0, 2.23.1, 2.24.0]
Recommendation: Update to version 2.24.0.

Loofah XSS Vulnerability

Published date: 2018-10-30
CVE: 2018-16468
CVSS V3: 6.4
Links:

In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Affected versions: ["2.2.2", "2.2.1", "2.2.0", "2.1.1", "2.1.0", "2.1.0.rc2", "2.1.0.rc1", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "1.2.1", "1.2.0", "1.1.0", "1.0.0", "1.0.0.beta.1", "0.4.7", "0.4.6", "0.4.5", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4.0", "0.3.1", "0.3.0", "0.2.2", "0.2.1", "0.2.0"]
Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0, 2.23.0, 2.23.1, 2.24.0]
Recommendation: Update to version 2.24.0.

Loofah XSS Vulnerability

Published date: 2018-03-16
CVE: 2018-8048
CVSS V3: 6.1
Links:

Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.

Affected versions: ["2.2.0", "2.1.1", "2.1.0", "2.1.0.rc2", "2.1.0.rc1", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "1.2.1", "1.2.0", "1.1.0", "1.0.0", "1.0.0.beta.1", "0.4.7", "0.4.6", "0.4.5", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4.0", "0.3.1", "0.3.0", "0.2.2", "0.2.1", "0.2.0"]
Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0, 2.23.0, 2.23.1, 2.24.0]
Recommendation: Update to version 2.24.0.

Loofah XSS Vulnerability

Published date: 2019-10-22
CVE: 2019-15587
CVSS V3: 6.4
Links:

In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Affected versions: ["2.3.0", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.1", "2.1.0", "2.1.0.rc2", "2.1.0.rc1", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "1.2.1", "1.2.0", "1.1.0", "1.0.0", "1.0.0.beta.1", "0.4.7", "0.4.6", "0.4.5", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4.0", "0.3.1", "0.3.0", "0.2.2", "0.2.1", "0.2.0"]
Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0, 2.23.0, 2.23.1, 2.24.0]
Recommendation: Update to version 2.24.0.

Inefficient Regular Expression Complexity in Loofah

Published date: 2022-12-13
CVE: 2022-23514
CVSS V3: 7.5
Links:

Summary

Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.

Mitigation

Upgrade to Loofah >= 2.19.1.

Affected versions: ["2.7.0", "2.6.0", "2.5.0", "2.4.0", "2.3.1", "2.3.0", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.1", "2.1.0", "2.1.0.rc2", "2.1.0.rc1", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "1.2.1", "1.2.0", "1.1.0", "1.0.0", "1.0.0.beta.1", "0.4.7", "0.4.6", "0.4.5", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4.0", "0.3.1", "0.3.0", "0.2.2", "0.2.1", "0.2.0", "2.8.0", "2.9.0", "2.9.1", "2.10.0", "2.11.0", "2.12.0", "2.13.0", "2.14.0", "2.15.0", "2.16.0", "2.17.0", "2.18.0", "2.19.0"]
Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0, 2.23.0, 2.23.1, 2.24.0]
Recommendation: Update to version 2.24.0.

Improper neutralization of data URIs may allow XSS in Loofah

Published date: 2022-12-13
CVE: 2022-23515
CVSS V3: 6.1
Links:

Summary

Loofah >= 2.1.0, < 2.19.1 is vulnerable to cross-site scripting via the image/svg+xml media type in data URIs.

Mitigation

Upgrade to Loofah >= 2.19.1.

Affected versions: ["2.7.0", "2.6.0", "2.5.0", "2.4.0", "2.3.1", "2.3.0", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.1", "2.1.0", "2.8.0", "2.9.0", "2.9.1", "2.10.0", "2.11.0", "2.12.0", "2.13.0", "2.14.0", "2.15.0", "2.16.0", "2.17.0", "2.18.0", "2.19.0"]
Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0, 2.23.0, 2.23.1, 2.24.0]
Recommendation: Update to version 2.24.0.

Uncontrolled Recursion in Loofah

Published date: 2022-12-13
CVE: 2022-23516
CVSS V3: 7.5
Links:

Summary

Loofah >= 2.2.0, < 2.19.1 uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a denial of service through CPU resource consumption.

Mitigation

Upgrade to Loofah >= 2.19.1.

Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.

Affected versions: ["2.7.0", "2.6.0", "2.5.0", "2.4.0", "2.3.1", "2.3.0", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.8.0", "2.9.0", "2.9.1", "2.10.0", "2.11.0", "2.12.0", "2.13.0", "2.14.0", "2.15.0", "2.16.0", "2.17.0", "2.18.0", "2.19.0"]
Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0, 2.23.0, 2.23.1, 2.24.0]
Recommendation: Update to version 2.24.0.

61 Other Versions

Version License Security Released
2.24.0 MIT 2025-01-01 - 03:05 4 months
2.23.1 MIT 2024-10-25 - 12:43 7 months
2.23.0 MIT 2024-10-24 - 12:59 7 months
2.22.0 MIT 2023-11-13 - 21:41 over 1 year
2.21.4 MIT 2023-10-10 - 17:55 over 1 year
2.21.3 MIT 2023-05-15 - 21:10 almost 2 years
2.21.2 MIT 2023-05-11 - 15:39 almost 2 years
2.21.1 MIT 2023-05-10 - 14:39 almost 2 years
2.21.0 MIT 2023-05-10 - 13:50 almost 2 years
2.21.0.rc1 MIT 2023-04-03 - 02:21 about 2 years
2.20.0 MIT 2023-04-01 - 17:07 about 2 years
2.19.1 MIT 2022-12-13 - 13:22 over 2 years
2.19.0 MIT 6 2022-09-14 - 13:38 over 2 years
2.18.0 MIT 6 2022-05-11 - 18:42 almost 3 years
2.17.0 MIT 6 2022-04-28 - 13:35 about 3 years
2.16.0 MIT 6 2022-04-01 - 18:27 about 3 years
2.15.0 MIT 6 2022-03-14 - 17:09 about 3 years
2.14.0 MIT 6 2022-02-11 - 19:10 about 3 years
2.13.0 MIT 6 2021-12-10 - 05:21 over 3 years
2.12.0 MIT 6 2021-08-11 - 17:30 over 3 years
2.11.0 MIT 6 2021-07-31 - 21:31 almost 4 years
2.10.0 MIT 6 2021-06-06 - 17:01 almost 4 years
2.9.1 MIT 6 2021-04-07 - 15:23 about 4 years
2.9.0 MIT 6 2021-01-14 - 21:36 over 4 years
2.8.0 MIT 6 2020-11-25 - 21:16 over 4 years
2.7.0 MIT 6 2020-08-26 - 19:33 over 4 years
2.6.0 MIT 6 2020-06-16 - 21:22 almost 5 years
2.5.0 MIT 6 2020-04-05 - 20:51 about 5 years
2.4.0 MIT 6 2019-11-25 - 18:45 over 5 years
2.3.1 MIT 6 2019-10-22 - 13:14 over 5 years
2.3.0 MIT 8 2019-09-28 - 17:37 over 5 years
2.2.3 MIT 8 2018-10-30 - 13:01 over 6 years
2.2.2 MIT 10 2018-03-22 - 15:10 about 7 years
2.2.1 MIT 10 2018-03-19 - 20:32 about 7 years
2.2.0 MIT 12 2018-02-11 - 22:23 about 7 years
2.1.1 MIT 10 2017-09-25 - 01:11 over 7 years
2.1.0 MIT 10 2017-09-24 - 20:48 over 7 years
2.1.0.rc2 MIT 8 2016-01-11 - 18:31 over 9 years
2.1.0.rc1 MIT 8 2015-08-17 - 23:21 over 9 years
2.0.3 MIT 8 2015-08-17 - 18:13 over 9 years
2.0.2 MIT 8 2015-05-05 - 19:59 about 10 years
2.0.1 MIT 8 2014-08-21 - 21:28 over 10 years
2.0.0 MIT 8 2014-05-09 - 22:51 almost 11 years
1.2.1 UNKNOWN 8 2012-04-14 - 19:08 about 13 years
1.2.0 UNKNOWN 8 2011-08-08 - 16:54 almost 14 years
1.1.0 UNKNOWN 8 2011-08-08 - 05:30 almost 14 years
1.0.0 UNKNOWN 8 2010-10-26 - 04:52 over 14 years
1.0.0.beta.1 UNKNOWN 8 2010-07-21 - 06:56 almost 15 years
0.4.7 UNKNOWN 8 2010-03-09 - 20:47 about 15 years
0.4.6 UNKNOWN 8 2010-02-02 - 14:54 over 15 years
0.4.5 UNKNOWN 9 2010-02-02 - 12:27 over 15 years
0.4.4 UNKNOWN 9 2010-02-01 - 21:59 over 15 years
0.4.3 UNKNOWN 9 2010-01-31 - 20:18 over 15 years
0.4.2 UNKNOWN 9 2010-01-24 - 03:54 over 15 years
0.4.1 UNKNOWN 9 2009-11-23 - 12:17 over 15 years
0.4.0 UNKNOWN 9 2009-11-22 - 03:59 over 15 years
0.3.1 UNKNOWN 9 2009-10-13 - 06:15 over 15 years
0.3.0 UNKNOWN 9 2009-10-07 - 10:38 over 15 years
0.2.2 UNKNOWN 9 2009-09-24 - 22:14 over 15 years
0.2.1 UNKNOWN 9 2009-08-20 - 05:39 over 15 years
0.2.0 UNKNOWN 9 2009-08-18 - 05:20 over 15 years