CVE-2022-23514
Inefficient Regular Expression Complexity vulnerability in loofah (RubyGems)
What is CVE-2022-23514 About?
Loofah versions `< 2.19.1` are vulnerable to a denial of service due to an inefficient regular expression. This regex is triggered during the sanitization of specific SVG attributes, leading to excessive backtracking and high CPU consumption. Exploiting this vulnerability is relatively easy by supplying specially crafted input.
Affected Software
Technical Details
The vulnerability in Loofah versions < 2.19.1 stems from an inefficient regular expression used in the sanitization of certain SVG attributes. When processing untrusted input containing specially crafted SVG attributes, this regex exhibits excessive backtracking. Backtracking occurs when the regex engine attempts many different paths to match the input string, leading to a exponential increase in processing time for certain patterns. An attacker can construct an SVG attribute value that maximizes this backtracking behavior, causing the regex engine to consume an inordinate amount of CPU resources. This prolonged CPU utilization for a single sanitization operation results in a denial of service, making the application unresponsive.
What is the Impact of CVE-2022-23514?
Successful exploitation may allow attackers to cause a denial of service by triggering excessive CPU consumption, leading to system unresponsiveness.
What is the Exploitability of CVE-2022-23514?
Exploitation of this vulnerability is of low to moderate complexity. No authentication is required, as the attacker merely needs to provide specially crafted input that is processed by the vulnerable Loofah component. The attack is remote, as it relies on sending malicious data to the application. Prerequisites include the application using a vulnerable version of Loofah and processing user-controlled SVG attributes. Special conditions involve the specific crafting of the SVG attribute value to trigger the inefficient regex backtracking. The risk of exploitation is higher in applications that accept and sanitize untrusted SVG content, as this provides a direct vector for an attacker to initiate the denial-of-service condition.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-23514?
Available Upgrade Options
- loofah
- <2.19.1 → Upgrade to 2.19.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2022-23514.yml
- https://lists.debian.org/debian-lts-announce/2024/09/msg00044.html
- https://github.com/flavorjones/loofah
- https://github.com/flavorjones/loofah/commit/a6e0a1ab90675a17b1b2be189129d94139e4b143
- https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html
- https://hackerone.com/reports/1684163
- https://hackerone.com/reports/1684163
- https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh
- https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh
- https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html
What are Similar Vulnerabilities to CVE-2022-23514?
Similar Vulnerabilities: CVE-2022-40898 , CVE-2022-23516 , CVE-2020-15160 , CVE-2016-5120 , CVE-2015-8854
