ADVISORIES
GEM
SEVERITY
CVSS v3.x: 7.5 (High)
UNAFFECTED VERSIONS
- < 2.2.0
PATCHED VERSIONS
- >= 2.19.1
DESCRIPTION
Summary
Loofah >= 2.2.0, < 2.19.1 uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a denial of service through CPU resource consumption.
Mitigation
Upgrade to Loofah >= 2.19.1.
Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.