Improper neutralization of data URIs may allow XSS in Loofah
Description
Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah >= 2.1.0, < 2.19.1 is vulnerable to cross-site scripting via the image/svg+xml media type in data URIs. This issue is patched in version 2.19.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Loofah HTML sanitizer allows XSS via `image/svg+xml` data URIs, patched in version 2.19.1.
Vulnerability
Analysis
CVE-2022-23515 affects Loofah, a Ruby library for manipulating and sanitizing HTML/XML documents built on Nokogiri [1]. The vulnerability exists in Loofah versions 2.1.0 through 2.19.1, where the sanitizer improperly allowed the image/svg+xml media type in data URIs [2]. This means that SVG content embedded via data:image/svg+xml URIs was not filtered out, potentially allowing execution of JavaScript within an SVG context.
Exploitation
An attacker can exploit this by crafting a malicious SVG payload in a data URI, such as ``, which could be injected into a web page via a field that uses Loofah for sanitization [4]. No authentication is required; the attack surface is any application that relies on Loofah to sanitize user-supplied HTML before rendering it to other users. The vulnerability is cross-site scripting (XSS), triggered when the unsanitized SVG content is rendered in a browser.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim’s browser session [3]. This can lead to data theft, session hijacking, or defacement. The CVSS score (severity) is not yet provided by NVD, but the issue is considered serious enough to warrant immediate patching [2].
Mitigation
The vulnerability was patched in Loofah version 2.19.1 [2]. The fix limits allowed data URI media types to only image/gif, image/jpeg, image/png, text/css, and text/plain, effectively blocking image/svg+xml [4]. All users running an affected version should upgrade immediately. No workarounds are documented for older versions.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
loofahRubyGems | >= 2.1.0, < 2.19.1 | 2.19.1 |
Affected products
8- ghsa-coords7 versionspkg:gem/loofahpkg:rpm/opensuse/rubygem-loofah&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/rubygem-loofah&distro=openSUSE%20Tumbleweedpkg:rpm/suse/rubygem-loofah&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP1pkg:rpm/suse/rubygem-loofah&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP2pkg:rpm/suse/rubygem-loofah&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP3pkg:rpm/suse/rubygem-loofah&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP4
>= 2.1.0, < 2.19.1+ 6 more
- (no CPE)range: >= 2.1.0, < 2.19.1
- (no CPE)range: < 2.2.2-150000.4.9.1
- (no CPE)range: < 2.19.1-1.1
- (no CPE)range: < 2.2.2-150000.4.9.1
- (no CPE)range: < 2.2.2-150000.4.9.1
- (no CPE)range: < 2.2.2-150000.4.9.1
- (no CPE)range: < 2.2.2-150000.4.9.1
- flavorjones/loofahv5Range: >= 2.1.0, < 2.19.1
Patches
1415677f3cf7ffix: do not allow "image/svg+xml" in data URIs
2 files changed · +11 −4
lib/loofah/html5/safelist.rb+0 −1 modified@@ -999,7 +999,6 @@ module SafeList "image/gif", "image/jpeg", "image/png", - "image/svg+xml", "text/css", "text/plain", ])
test/html5/test_sanitizer.rb+11 −3 modified@@ -155,7 +155,7 @@ def test_should_allow_contenteditable end end - HTML5::SafeList::ALLOWED_URI_DATA_MEDIATYPES.each do |data_uri_type| + ["image/gif", "image/jpeg", "image/png", "text/css", "text/plain"].each do |data_uri_type| define_method "test_should_allow_data_#{data_uri_type}_uris" do input = %(<a href="data:#{data_uri_type}">foo</a>) output = "<a href='data:#{data_uri_type}'>foo</a>" @@ -165,9 +165,7 @@ def test_should_allow_contenteditable output = "<a href='data:#{data_uri_type};base64,R0lGODlhAQABA'>foo</a>" check_sanitization(input, output, output, output) end - end - HTML5::SafeList::ALLOWED_URI_DATA_MEDIATYPES.each do |data_uri_type| define_method "test_should_allow_uppercase_data_#{data_uri_type}_uris" do input = %(<a href="DATA:#{data_uri_type.upcase}">foo</a>) output = "<a href='DATA:#{data_uri_type.upcase}'>foo</a>" @@ -187,6 +185,16 @@ def test_should_disallow_other_uri_mediatypes input = %(<a href="data:image/xxx;base64,R0lGODlhAQABA">foo</a>) output = "<a>foo</a>" check_sanitization(input, output, output, output) + + input = %(<a href="data:text/html;base64,R0lGODlhAQABA">foo</a>) + output = "<a>foo</a>" + check_sanitization(input, output, output, output) + + # https://hackerone.com/bugs?report_id=1694173 + # https://github.com/w3c/svgwg/issues/266 + input = %(<svg><use href="data:image/svg+xml;base64,PHN2ZyBpZD0neCcgeG1s"/></svg>) + output = "<svg><use></use></svg>" + check_sanitization(input, output, output, output) end HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.each do |tag_name|
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-228g-948r-83gxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-23515ghsaADVISORY
- github.com/flavorjones/loofah/commit/415677f3cf7f9254f42f811e784985cd63c7407fghsaWEB
- github.com/flavorjones/loofah/issues/101ghsax_refsource_MISCWEB
- github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gxghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2022-23515.ymlghsaWEB
- github.com/w3c/svgwg/issues/266ghsaWEB
- hackerone.com/reports/1694173ghsax_refsource_MISCWEB
- lists.debian.org/debian-lts-announce/2023/09/msg00011.htmlghsaWEB
- lists.debian.org/debian-lts-announce/2024/09/msg00044.htmlghsaWEB
News mentions
0No linked articles in our index yet.