Uncontrolled Recursion
CVE-2022-23516
Summary
Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah versions 2.2.0 through 2.19.0 use recursion for sanitizing "CDATA" sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a denial of service through CPU resource consumption. Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- NONE
- HIGH
CWE-674 - Uncontrolled Recursion
The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack.
References
Advisory Timeline
- Published