Ruby/loofah/2.7.0
Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri.
Loofah also includes some HTML sanitizers based on html5lib's safelist, which are a specific
application of the general transformation functionality.
https://rubygems.org/gems/loofah
MIT
6 Security Vulnerabilities
Improper neutralization of data URIs may allow XSS in Loofah
- https://github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gx
- https://github.com/flavorjones/loofah/issues/101
- https://github.com/w3c/svgwg/issues/266
- https://github.com/flavorjones/loofah/commit/415677f3cf7f9254f42f811e784985cd63c7407f
- https://hackerone.com/reports/1694173
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2022-23515.yml
- https://github.com/advisories/GHSA-228g-948r-83gx
- https://nvd.nist.gov/vuln/detail/CVE-2022-23515
- https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html
Summary
Loofah >= 2.1.0, < 2.19.1 is vulnerable to cross-site scripting via the image/svg+xml media type in data URIs.
Mitigation
Upgrade to Loofah >= 2.19.1.
Severity
The Loofah maintainers have evaluated this as Medium Severity 6.1.
References
- CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)
- SVG MIME Type (image/svg+xml) is misleading to developers · Issue #266 · w3c/svgwg
- https://hackerone.com/reports/1694173
- https://github.com/flavorjones/loofah/issues/101
Credit
This vulnerability was responsibly reported by Maciej Piechota (@haqpl).
Uncontrolled Recursion in Loofah
- https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm
- https://github.com/flavorjones/loofah/commit/86f7f6364491b0099d215db858ecdc0c89ded040
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2022-23516.yml
- https://github.com/advisories/GHSA-3x8r-x6xp-q4vm
- https://nvd.nist.gov/vuln/detail/CVE-2022-23516
- https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html
Summary
Loofah >= 2.2.0, < 2.19.1 uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a denial of service through CPU resource consumption.
Mitigation
Upgrade to Loofah >= 2.19.1.
Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.
Severity
The Loofah maintainers have evaluated this as High Severity 7.5 (CVSS3.1).
References
Inefficient Regular Expression Complexity in Loofah
- https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh
- https://github.com/flavorjones/loofah/commit/a6e0a1ab90675a17b1b2be189129d94139e4b143
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2022-23514.yml
- https://github.com/advisories/GHSA-486f-hjj9-9vhh
- https://nvd.nist.gov/vuln/detail/CVE-2022-23514
- https://hackerone.com/reports/1684163
- https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html
Summary
Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.
Mitigation
Upgrade to Loofah >= 2.19.1.
Severity
The Loofah maintainers have evaluated this as High Severity 7.5 (CVSS3.1).
References
- CWE - CWE-1333: Inefficient Regular Expression Complexity (4.9)
- https://hackerone.com/reports/1684163
Credit
This vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q).
Inefficient Regular Expression Complexity in Loofah
Summary
Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.
Mitigation
Upgrade to Loofah >= 2.19.1.
Improper neutralization of data URIs may allow XSS in Loofah
Summary
Loofah >= 2.1.0, < 2.19.1 is vulnerable to cross-site scripting via the image/svg+xml media type in data URIs.
Mitigation
Upgrade to Loofah >= 2.19.1.
Uncontrolled Recursion in Loofah
Summary
Loofah >= 2.2.0, < 2.19.1 uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a denial of service through CPU resource consumption.
Mitigation
Upgrade to Loofah >= 2.19.1.
Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.
58 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 2.22.0 | MIT | 2023-11-13 - 21:41 | 6 months | |
| 2.21.4 | MIT | 2023-10-10 - 17:55 | 7 months | |
| 2.21.3 | MIT | 2023-05-15 - 21:10 | 12 months | |
| 2.21.2 | MIT | 2023-05-11 - 15:39 | 12 months | |
| 2.21.1 | MIT | 2023-05-10 - 14:39 | 12 months | |
| 2.21.0 | MIT | 2023-05-10 - 13:50 | 12 months | |
| 2.21.0.rc1 | MIT | 2023-04-03 - 02:21 | about 1 year | |
| 2.20.0 | MIT | 2023-04-01 - 17:07 | about 1 year | |
| 2.19.1 | MIT | 2022-12-13 - 13:22 | over 1 year | |
| 2.19.0 | MIT | 6 | 2022-09-14 - 13:38 | over 1 year |
| 2.18.0 | MIT | 6 | 2022-05-11 - 18:42 | almost 2 years |
| 2.17.0 | MIT | 6 | 2022-04-28 - 13:35 | about 2 years |
| 2.16.0 | MIT | 6 | 2022-04-01 - 18:27 | about 2 years |
| 2.15.0 | MIT | 6 | 2022-03-14 - 17:09 | about 2 years |
| 2.14.0 | MIT | 6 | 2022-02-11 - 19:10 | about 2 years |
| 2.13.0 | MIT | 6 | 2021-12-10 - 05:21 | over 2 years |
| 2.12.0 | MIT | 6 | 2021-08-11 - 17:30 | over 2 years |
| 2.11.0 | MIT | 6 | 2021-07-31 - 21:31 | almost 3 years |
| 2.10.0 | MIT | 6 | 2021-06-06 - 17:01 | almost 3 years |
| 2.9.1 | MIT | 6 | 2021-04-07 - 15:23 | about 3 years |
| 2.9.0 | MIT | 6 | 2021-01-14 - 21:36 | over 3 years |
| 2.8.0 | MIT | 6 | 2020-11-25 - 21:16 | over 3 years |
| 2.7.0 | MIT | 6 | 2020-08-26 - 19:33 | over 3 years |
| 2.6.0 | MIT | 6 | 2020-06-16 - 21:22 | almost 4 years |
| 2.5.0 | MIT | 6 | 2020-04-05 - 20:51 | about 4 years |
| 2.4.0 | MIT | 6 | 2019-11-25 - 18:45 | over 4 years |
| 2.3.1 | MIT | 6 | 2019-10-22 - 13:14 | over 4 years |
| 2.3.0 | MIT | 8 | 2019-09-28 - 17:37 | over 4 years |
| 2.2.3 | MIT | 8 | 2018-10-30 - 13:01 | over 5 years |
| 2.2.2 | MIT | 10 | 2018-03-22 - 15:10 | about 6 years |
| 2.2.1 | MIT | 10 | 2018-03-19 - 20:32 | about 6 years |
| 2.2.0 | MIT | 12 | 2018-02-11 - 22:23 | about 6 years |
| 2.1.1 | MIT | 10 | 2017-09-25 - 01:11 | over 6 years |
| 2.1.0 | MIT | 10 | 2017-09-24 - 20:48 | over 6 years |
| 2.1.0.rc2 | MIT | 8 | 2016-01-11 - 18:31 | over 8 years |
| 2.1.0.rc1 | MIT | 8 | 2015-08-17 - 23:21 | over 8 years |
| 2.0.3 | MIT | 8 | 2015-08-17 - 18:13 | over 8 years |
| 2.0.2 | MIT | 8 | 2015-05-05 - 19:59 | almost 9 years |
| 2.0.1 | MIT | 8 | 2014-08-21 - 21:28 | over 9 years |
| 2.0.0 | MIT | 8 | 2014-05-09 - 22:51 | almost 10 years |
| 1.2.1 | UNKNOWN | 8 | 2012-04-14 - 19:08 | about 12 years |
| 1.2.0 | UNKNOWN | 8 | 2011-08-08 - 16:54 | over 12 years |
| 1.1.0 | UNKNOWN | 8 | 2011-08-08 - 05:30 | over 12 years |
| 1.0.0 | UNKNOWN | 8 | 2010-10-26 - 04:52 | over 13 years |
| 1.0.0.beta.1 | UNKNOWN | 8 | 2010-07-21 - 06:56 | almost 14 years |
| 0.4.7 | UNKNOWN | 8 | 2010-03-09 - 20:47 | about 14 years |
| 0.4.6 | UNKNOWN | 8 | 2010-02-02 - 14:54 | about 14 years |
| 0.4.5 | UNKNOWN | 9 | 2010-02-02 - 12:27 | about 14 years |
| 0.4.4 | UNKNOWN | 9 | 2010-02-01 - 21:59 | about 14 years |
| 0.4.3 | UNKNOWN | 9 | 2010-01-31 - 20:18 | over 14 years |
| 0.4.2 | UNKNOWN | 9 | 2010-01-24 - 03:54 | over 14 years |
| 0.4.1 | UNKNOWN | 9 | 2009-11-23 - 12:17 | over 14 years |
| 0.4.0 | UNKNOWN | 9 | 2009-11-22 - 03:59 | over 14 years |
| 0.3.1 | UNKNOWN | 9 | 2009-10-13 - 06:15 | over 14 years |
| 0.3.0 | UNKNOWN | 9 | 2009-10-07 - 10:38 | over 14 years |
| 0.2.2 | UNKNOWN | 9 | 2009-09-24 - 22:14 | over 14 years |
| 0.2.1 | UNKNOWN | 9 | 2009-08-20 - 05:39 | over 14 years |
| 0.2.0 | UNKNOWN | 9 | 2009-08-18 - 05:20 | over 14 years |