High severityNVD Advisory· Published Dec 14, 2022· Updated Nov 3, 2025
Inefficient Regular Expression Complexity in rails-html-sanitizer
CVE-2022-23517
Description
rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Certain configurations of rails-html-sanitizer < 1.4.4 use an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. This issue has been patched in version 1.4.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rails-html-sanitizerRubyGems | < 1.4.4 | 1.4.4 |
Affected products
12- ghsa-coords11 versionspkg:gem/rails-html-sanitizerpkg:rpm/opensuse/rubygem-rails-html-sanitizer&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/rubygem-rails-html-sanitizer&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/rubygem-rails-html-sanitizer&distro=openSUSE%20Tumbleweedpkg:rpm/suse/rubygem-rails-html-sanitizer&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP1pkg:rpm/suse/rubygem-rails-html-sanitizer&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP2pkg:rpm/suse/rubygem-rails-html-sanitizer&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP3pkg:rpm/suse/rubygem-rails-html-sanitizer&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP4pkg:rpm/suse/rubygem-rails-html-sanitizer&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP5pkg:rpm/suse/rubygem-rails-html-sanitizer&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/rubygem-rails-html-sanitizer&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 1.4.4+ 10 more
- (no CPE)range: < 1.4.4
- (no CPE)range: < 1.0.4-150000.4.6.1
- (no CPE)range: < 1.0.4-150000.4.6.1
- (no CPE)range: < 1.5.0-1.1
- (no CPE)range: < 1.0.4-150000.4.6.1
- (no CPE)range: < 1.0.4-150000.4.6.1
- (no CPE)range: < 1.0.4-150000.4.6.1
- (no CPE)range: < 1.0.4-150000.4.6.1
- (no CPE)range: < 1.0.4-150000.4.6.1
- (no CPE)range: < 1.0.3-8.14.1
- (no CPE)range: < 1.0.3-8.14.1
- Range: < 1.4.4
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-5x79-w82f-gw8wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-23517ghsaADVISORY
- github.com/rails/rails-html-sanitizer/commit/56c61c0cebd1e493e8ad7bca2a0191609a4a6979ghsax_refsource_MISCWEB
- github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8wghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23517.ymlghsaWEB
- hackerone.com/reports/1684163ghsax_refsource_MISCWEB
- lists.debian.org/debian-lts-announce/2023/09/msg00012.htmlghsaWEB
- lists.debian.org/debian-lts-announce/2024/09/msg00045.htmlghsaWEB
News mentions
0No linked articles in our index yet.