Skip to main content

Uncontrolled Recursion


Severity High
Score 7.5/10


Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah versions 2.2.0 through 2.19.0 use recursion for sanitizing "CDATA" sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a denial of service through CPU resource consumption. Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.

  • LOW
  • NONE
  • NONE
  • NONE
  • NONE
  • HIGH

CWE-674 - Uncontrolled Recursion

The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack.

Advisory Timeline

  • Published