CVE-2022-23516
Uncontrolled Recursion vulnerability in loofah (RubyGems)
What is CVE-2022-23516 About?
This vulnerability in Loofah `>= 2.2.0, < 2.19.1` is caused by uncontrolled recursion when sanitizing CDATA sections. It can lead to a denial of service due to stack exhaustion. Exploiting this vulnerability is relatively easy as it can be triggered by crafting a malicious input.
Affected Software
Technical Details
The vulnerability lies in the way Loofah processes CDATA sections, specifically within versions >= 2.2.0 and < 2.19.1. The sanitization mechanism for CDATA sections relies on a recursive function. An attacker can craft a malicious input containing deeply nested or excessively long CDATA sections. When Loofah attempts to sanitize this input, the recursive function calls itself too many times, leading to a stack exhaustion error, manifesting as a SystemStackError exception. This continuous resource consumption results in a denial of service (DoS) for the application, as the process consuming all available CPU resources to handle the oversized recursive calls.
What is the Impact of CVE-2022-23516?
Successful exploitation may allow attackers to cause a denial of service (DoS) by exhausting system resources, making the application unresponsive to legitimate users.
What is the Exploitability of CVE-2022-23516?
Exploitation is of low to moderate complexity. No authentication is required for an attacker to trigger this vulnerability, as it depends on the processing of arbitrary input by the Loofah library. Attackers can typically supply specially crafted input remotely. The primary prerequisite is that the application uses a vulnerable version of Loofah and processes user-controlled data that can include CDATA sections. The risk of exploitation is high in applications that handle untrusted XML or HTML content and use the affected Loofah versions, as a simple malformed input can lead to a denial of service.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-23516?
Available Upgrade Options
- loofah
- >=2.2.0, <2.19.1 → Upgrade to 2.19.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2022-23516.yml
- https://lists.debian.org/debian-lts-announce/2024/09/msg00044.html
- https://osv.dev/vulnerability/GHSA-3x8r-x6xp-q4vm
- https://github.com/flavorjones/loofah
- https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html
- https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm
- https://github.com/flavorjones/loofah/commit/86f7f6364491b0099d215db858ecdc0c89ded040
- https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm
- https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-23516
What are Similar Vulnerabilities to CVE-2022-23516?
Similar Vulnerabilities: CVE-2022-23514 , CVE-2022-40898 , CVE-2021-3807 , CVE-2018-1000632 , CVE-2017-7521
