Inefficient Regular Expression Complexity in rails-html-sanitizer
Description
rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Certain configurations of rails-html-sanitizer < 1.4.4 use an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. This issue has been patched in version 1.4.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2022-23517 is a ReDoS vulnerability in rails-html-sanitizer < 1.4.4 where an inefficient regex for SVG attributes can cause CPU exhaustion via crafted input.
Vulnerability
Overview
CVE-2022-23517 is a Regular Expression Denial of Service (ReDoS) vulnerability in the rails-html-sanitizer gem, which is responsible for sanitizing HTML fragments in Rails applications. The flaw exists in versions prior to 1.4.4, where an inefficient regular expression is used when sanitizing certain SVG attributes. This regex is susceptible to excessive backtracking when processing specially crafted input, leading to high CPU consumption [1][4].
Exploitation
An attacker can exploit this vulnerability by providing a malicious HTML fragment containing a crafted SVG attribute that triggers the inefficient regex. The attack does not require authentication if the application sanitizes user-supplied HTML input (e.g., via sanitize helper). The attacker only needs to submit the payload to a vulnerable endpoint, and the server will spend excessive CPU time attempting to sanitize the input, potentially causing a denial of service [4].
Impact
Successful exploitation results in a denial of service through CPU resource exhaustion. The vulnerability does not affect confidentiality or integrity, but it can render the application unresponsive or degrade performance for legitimate users. The CVSS vector (not yet assigned by NVD) from the GitHub advisory indicates a high availability impact with low attack complexity and no privileges required [4].
Mitigation
The issue has been patched in rails-html-sanitizer version 1.4.4. Users should upgrade to this version or later. No workaround is available; upgrading is the only recommended mitigation [1][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rails-html-sanitizerRubyGems | < 1.4.4 | 1.4.4 |
Affected products
12- ghsa-coords11 versionspkg:gem/rails-html-sanitizerpkg:rpm/opensuse/rubygem-rails-html-sanitizer&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/rubygem-rails-html-sanitizer&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/rubygem-rails-html-sanitizer&distro=openSUSE%20Tumbleweedpkg:rpm/suse/rubygem-rails-html-sanitizer&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP1pkg:rpm/suse/rubygem-rails-html-sanitizer&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP2pkg:rpm/suse/rubygem-rails-html-sanitizer&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP3pkg:rpm/suse/rubygem-rails-html-sanitizer&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP4pkg:rpm/suse/rubygem-rails-html-sanitizer&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP5pkg:rpm/suse/rubygem-rails-html-sanitizer&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/rubygem-rails-html-sanitizer&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 1.4.4+ 10 more
- (no CPE)range: < 1.4.4
- (no CPE)range: < 1.0.4-150000.4.6.1
- (no CPE)range: < 1.0.4-150000.4.6.1
- (no CPE)range: < 1.5.0-1.1
- (no CPE)range: < 1.0.4-150000.4.6.1
- (no CPE)range: < 1.0.4-150000.4.6.1
- (no CPE)range: < 1.0.4-150000.4.6.1
- (no CPE)range: < 1.0.4-150000.4.6.1
- (no CPE)range: < 1.0.4-150000.4.6.1
- (no CPE)range: < 1.0.3-8.14.1
- (no CPE)range: < 1.0.3-8.14.1
- rails/rails-html-sanitizerv5Range: < 1.4.4
Patches
156c61c0cebd1fix: replace slow regex attribute check with Loofah method
2 files changed · +13 −1
lib/rails/html/scrubbers.rb+3 −1 modified@@ -146,9 +146,11 @@ def scrub_attribute(node, attr_node) attr_node.remove end end + if Loofah::HTML5::SafeList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name) - attr_node.value = attr_node.value.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, ' ') if attr_node.value + Loofah::HTML5::Scrub.scrub_attribute_that_allows_local_ref(attr_node) end + if Loofah::HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m attr_node.remove end
test/sanitizer_test.rb+10 −0 modified@@ -606,6 +606,16 @@ def test_disallow_the_dangerous_safelist_combination_of_select_and_style refute_includes(sanitized, "style") end + def test_scrubbing_svg_attr_values_that_allow_ref + input = %Q(<div fill="yellow url(http://bad.com/) #fff">hey</div>) + expected = %Q(<div fill="yellow #fff">hey</div>) + actual = scope_allowed_attributes %w(fill) do + safe_list_sanitize(input) + end + + assert_equal(expected, actual) + end + protected def xpath_sanitize(input, options = {})
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-5x79-w82f-gw8wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-23517ghsaADVISORY
- github.com/rails/rails-html-sanitizer/commit/56c61c0cebd1e493e8ad7bca2a0191609a4a6979ghsax_refsource_MISCWEB
- github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8wghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23517.ymlghsaWEB
- hackerone.com/reports/1684163ghsax_refsource_MISCWEB
- lists.debian.org/debian-lts-announce/2023/09/msg00012.htmlghsaWEB
- lists.debian.org/debian-lts-announce/2024/09/msg00045.htmlghsaWEB
News mentions
0No linked articles in our index yet.