Package Instance

Integer Overflow or Wraparound in libxml2 affects Nokogiri
### Summary

Nokogiri v1.13.5 upgrades the packaged version of its dependency libxml2 from
v2.9.13 to [v2.9.14](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.9.14).

libxml2 v2.9.14 addresses [CVE-2022-29824](https://nvd.nist.gov/vuln/detail/CVE-2022-29824).
This version also includes several security-related bug fixes for which CVEs were not created,
including a potential double-free, potential memory leaks, and integer-overflow.

Please note that this advisory only applies to the CRuby implementation of Nokogiri
`< 1.13.5`, and only if the _packaged_ libraries are being used. If you've overridden
defaults at installation time to use _system_ libraries instead of packaged libraries,
you should instead pay attention to your distro's `libxml2` and `libxslt` release announcements.

### Mitigation

Upgrade to Nokogiri `>= 1.13.5`.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation:
compile and link Nokogiri against external libraries libxml2 `>= 2.9.14` which will also
address these same issues.

### Impact

#### libxml2 [CVE-2022-29824](https://nvd.nist.gov/vuln/detail/CVE-2022-29824)

- **CVSS3 score**:
  - Unspecified upstream
  - Nokogiri maintainers evaluate at 8.6 (High) ([CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H)). Note that this is different from the CVSS assessed by NVD.
- **Type**: Denial of service, information disclosure
- **Description**: In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.
- **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/-/commit/2554a24

All versions of libml2 prior to v2.9.14 are affected.

Applications parsing or serializing multi-gigabyte documents (in excess of INT_MAX bytes) may be vulnerable to an integer overflow bug in buffer handling that could lead to exposure of confidential data, modification of unrelated data, or a segmentation fault resulting in a denial-of-service.


### References

- [libxml2 v2.9.14 release notes](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.9.14)
- [CVE-2022-29824](https://nvd.nist.gov/vuln/detail/CVE-2022-29824)
- [CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer](https://cwe.mitre.org/data/definitions/119.html)

Duplicate Advisory: Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171
Nokogiri v1.18.3 upgrades its dependency libxml2 to
[v2.13.6](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.6).

libxml2 v2.13.6 addresses:

- CVE-2025-24928
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847
- CVE-2024-56171
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828

Nokogiri CSS selector tokenizer has regular expression backtracking
## Summary

Nokogiri's CSS selector tokenizer contains regular expressions whose construction may result in exponential regex backtracking on adversarial selectors. Three ReDoS vectors are addressed in this release:

1. String-literal tokenization on certain unterminated quoted-string input.
2. String-literal tokenization on a separate class of hex-escape-rich input.
3. Identifier tokenization on hex-escape-rich input.

The public CSS selector methods that funnel through the affected tokenizer are `Nokogiri::CSS.xpath_for`, `Node#css`, `Node#at_css`, `Searchable#search`, and `CSS::Parser#parse`.


## Mitigation

Upgrade to Nokogiri `>= 1.19.3`.

If users are unable to upgrade, two options are available:

- Avoid the use of attacker-controlled text in CSS selectors. Applications that only pass developer-authored selectors to Nokogiri are not directly exposed.
- Set global `Regexp.timeout` (Ruby 3.2+, JRuby 9.4+) to bound parse time.

## Severity

The Nokogiri maintainers have evaluated this as **High Severity** (CVSS 7.5, `AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`).

An attacker able to inject user-supplied text into a CSS selector parse method can cause exponential backtracking, resulting in a potential denial of service.


## Resources

- [CWE-1333: Inefficient Regular Expression Complexity](https://cwe.mitre.org/data/definitions/1333.html)


## Credit

Vector 1 was responsibly reported by @colby-swandale. Vectors 2 and 3 were discovered by @flavorjones during the response to the original report.

Out-of-bounds Write in zlib affects Nokogiri
## Summary

Nokogiri v1.13.4 updates the vendored zlib from 1.2.11 to 1.2.12, which addresses [CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032). That CVE is scored as CVSS 7.4 "High" on the NVD record as of 2022-04-05.

Please note that this advisory only applies to the CRuby implementation of Nokogiri `< 1.13.4`, and only if the packaged version of `zlib` is being used. Please see [this document](https://nokogiri.org/LICENSE-DEPENDENCIES.html#default-platform-release-ruby) for a complete description of which platform gems vendor `zlib`. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's `zlib` release announcements. 

## Mitigation

Upgrade to Nokogiri `>= v1.13.4`.

## Impact

### [CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032) in zlib

- **Severity**: High
- **Type**: [CWE-787](https://cwe.mitre.org/data/definitions/787.html) Out of bounds write
- **Description**: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171
## Summary

Nokogiri v1.18.3 upgrades its dependency libxml2 to
[v2.13.6](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.6).

libxml2 v2.13.6 addresses:

- CVE-2025-24928
  - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847
- CVE-2024-56171
   - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828

## Impact

### CVE-2025-24928

Stack-buffer overflow is possible when reporting DTD validation
errors if the input contains a long (~3kb) QName prefix.

### CVE-2024-56171

Use-after-free is possible during validation against untrusted
XML Schemas (.xsd) and, potentially, validation of untrusted documents
against trusted Schemas if they make use of `xsd:keyref` in combination
with recursively defined types that have additional identity constraints.

Nokogiri does not check the return value from xmlC14NExecute
Nokogiri's CRuby extension fails to check the return value from `xmlC14NExecute` in the method `Nokogiri::XML::Document#canonicalize` and `Nokogiri::XML::Node#canonicalize`. When canonicalization fails, an empty string is returned instead of raising an exception. This incorrect return value may allow downstream libraries to accept invalid or incomplete canonicalized XML, which has been demonstrated to enable signature validation bypass in SAML libraries.

JRuby is not affected, as the Java implementation correctly raises `RuntimeError` on canonicalization failure.

Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459
Nokogiri v1.16.5 upgrades its dependency libxml2 to
[2.12.7](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7) from 2.12.6.

libxml2 v2.12.7 addresses CVE-2024-34459:

- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/720
- patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac53

Duplicate Advisory: Use-after-free in libxml2 via Nokogiri::XML::Reader
Nokogiri upgrades its dependency libxml2 as follows:
- v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6
- v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4

libxml2 v2.11.7 and v2.12.5 address the following vulnerability:

CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
- patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970

Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if
the packaged libraries are being used. If you've overridden defaults at installation time to use
system libraries instead of packaged libraries, you should instead pay attention to your distro's
libxml2 release announcements.

JRuby users are not affected.

Improper Handling of Unexpected Data Type in Nokogiri
### Summary

Nokogiri `< v1.13.6` does not type-check all inputs into the XML and HTML4 SAX parsers.
For CRuby users, this may allow specially crafted untrusted inputs to cause illegal
memory access errors (segfault) or reads from unrelated memory.

### Severity

The Nokogiri maintainers have evaluated this as **High 8.2** (CVSS3.1).

### Mitigation

CRuby users should upgrade to Nokogiri `>= 1.13.6`.

JRuby users are not affected.

### Workarounds

To avoid this vulnerability in affected applications, ensure the untrusted input is a
`String` by calling `#to_s` or equivalent.

Nokogiri XSLT transform has a memory leak
## Summary

Nokogiri's `Nokogiri::XSLT::Stylesheet#transform` leaks a small heap allocation when passed a Ruby string parameter containing a null byte.

For applications that pass attacker-controlled input through `XSLT.transform` parameters, this may be a vector for a denial of service attack against long-running processes.


## Mitigation

Upgrade to Nokogiri `>= 1.19.3`.

Users may also be able to mitigate this issue without upgrading by validating untrusted transform parameters before passing them to `Nokogiri::XSLT::Stylesheet#transform`.


## Severity

The Nokogiri maintainers have evaluated this as **Moderate Severity**, CVSS 5.3.

Each leaked allocation is approximately 24–32 bytes, so meaningful memory growth requires sustained attacker-controlled traffic at high call rates. The bug does not cause memory corruption, information disclosure, or any change in the behavior of the transform itself, and the string-handling exception is raised as expected.

Applications that do not pass raw attacker-controlled bytes to XSLT parameters are unlikely to be affected in practice.


## Resources

- [CWE-401: Missing Release of Memory after Effective Lifetime](https://cwe.mitre.org/data/definitions/401.html)


## Credit

This vulnerability was responsibly reported by @Captainjack-kor.

Duplicate
This advisory duplicates another.

Nokogiri patches vendored libxml2 to resolve multiple CVEs
## Summary

Nokogiri v1.18.9 patches the vendored libxml2 to address
CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795,
and CVE-2025-49796.

## Impact and severity

### CVE-2025-6021

A flaw was found in libxml2's xmlBuildQName function, where integer
overflows in buffer size calculations can lead to a stack-based
buffer overflow. This issue can result in memory corruption or a
denial of service when processing crafted input.

NVD claims a severity of 7.5 High
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/17d950ae

### CVE-2025-6170

A flaw was found in the interactive shell of the xmllint command-line
tool, used for parsing XML files. When a user inputs an overly long
command, the program does not check the input size properly, which
can cause it to crash. This issue might allow attackers to run
harmful code in rare configurations without modern protections.

NVD claims a severity of 2.5 Low
(CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/5e9ec5c1

### CVE-2025-49794

A use-after-free vulnerability was found in libxml2. This issue
occurs when parsing XPath elements under certain circumstances when
the XML schematron has the <sch:name path="..."/> schema elements.
This flaw allows a malicious actor to craft a malicious XML document
used as input for libxml, resulting in the program's crash using
libxml or other possible undefined behaviors.

NVD claims a severity of 9.1 Critical
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5

### CVE-2025-49795

A NULL pointer dereference vulnerability was found in libxml2 when
processing XPath XML expressions. This flaw allows an attacker to
craft a malicious XML input to libxml2, leading to a denial of service.

NVD claims a severity of 7.5 High
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/62048278

### CVE-2025-49796

A vulnerability was found in libxml2. Processing certain sch:name
elements from the input XML file can trigger a memory corruption
issue. This flaw allows an attacker to craft a malicious XML input
file that can lead libxml to crash, resulting in a denial of service
or other possible undefined behavior due to sensitive data being
corrupted in memory.

NVD claims a severity of 9.1 Critical
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5

## Affected Versions

- Nokogiri < 1.18.9 when using CRuby (MRI) with vendored libxml2

## Patched Versions

- Nokogiri >= 1.18.9

## Mitigation

Upgrade to Nokogiri v1.18.9 or later.

Users who are unable to upgrade Nokogiri may also choose a more
complicated mitigation: compile and link Nokogiri against patched
external libxml2 libraries which will also address these same issues.

Update bundled libxml2 to v2.10.3 to resolve multiple CVEs
### Summary

Nokogiri v1.13.9 upgrades the packaged version of its dependency libxml2 to
[v2.10.3](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.3) from
v2.9.14.

libxml2 v2.10.3 addresses the following known vulnerabilities:

- [CVE-2022-2309](https://nvd.nist.gov/vuln/detail/CVE-2022-2309)
- [CVE-2022-40304](https://nvd.nist.gov/vuln/detail/CVE-2022-40304)
- [CVE-2022-40303](https://nvd.nist.gov/vuln/detail/CVE-2022-40303)

Please note that this advisory only applies to the CRuby implementation of
Nokogiri `< 1.13.9`, and only if the _packaged_ libraries are being used. If
you've overridden defaults at installation time to use _system_ libraries
instead of packaged libraries, you should instead pay attention to your
distro's `libxml2` release announcements.


### Mitigation

Upgrade to Nokogiri `>= 1.13.9`.

Users who are unable to upgrade Nokogiri may also choose a more complicated
mitigation: compile and link Nokogiri against external libraries libxml2
`>= 2.10.3` which will also address these same issues.


### Impact

#### libxml2 [CVE-2022-2309](https://nvd.nist.gov/vuln/detail/CVE-2022-2309)

- **CVSS3 score**: Under evaluation
- **Type**: Denial of service
- **Description**: NULL Pointer Dereference allows attackers to cause a denial
of service (or application crash). This only applies when lxml is used
together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not
affected. It allows triggering crashes through forged input data, given a
vulnerable code sequence in the application. The vulnerability is caused by
the iterwalk function (also used by the canonicalize function). Such code
shouldn't be in wide-spread use, given that parsing + iterwalk would usually
be replaced with the more efficient iterparse function. However, an XML
converter that serialises to C14N would also be vulnerable, for example, and
there are legitimate use cases for this code sequence. If untrusted input is
received (also remotely) and processed via iterwalk function, a crash can be
triggered.

Nokogiri maintainers investigated at #2620 and determined this CVE does not
affect Nokogiri users.


#### libxml2 [CVE-2022-40304](https://nvd.nist.gov/vuln/detail/CVE-2022-40304)

- **CVSS3 score**: Unspecified upstream
- **Type**: Data corruption, denial of service
- **Description**: When an entity reference cycle is detected, the entity
content is cleared by setting its first byte to zero. But the entity content
might be allocated from a dict. In this case, the dict entry becomes corrupted
leading to all kinds of logic errors, including memory errors like
double-frees.

See https://gitlab.gnome.org/GNOME/libxml2/-/commit/644a89e080bced793295f61f18aac8cfad6bece2


#### libxml2 [CVE-2022-40303](https://nvd.nist.gov/vuln/detail/CVE-2022-40303)

- **CVSS3 score**: Unspecified upstream
- **Type**: Integer overflow
- **Description**: Integer overflows with XML_PARSE_HUGE

See https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0