VulnerableCode Package Details - pkg:gem/nokogiri@1.19.1

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-jfh3-1sgm-7ug2	Nokogiri does not check the return value from xmlC14NExecute ## Summary Nokogiri's CRuby extension fails to check the return value from `xmlC14NExecute` in the method `Nokogiri::XML::Document#canonicalize` and `Nokogiri::XML::Node#canonicalize`. When canonicalization fails, an empty string is returned instead of raising an exception. This incorrect return value may allow downstream libraries to accept invalid or incomplete canonicalized XML, which has been demonstrated to enable signature validation bypass in SAML libraries. JRuby is not affected, as the Java implementation correctly raises `RuntimeError` on canonicalization failure. ## Mitigation Upgrade to Nokogiri `>= 1.19.1`. ## Severity The maintainers have assessed this as Medium severity. Nokogiri itself is a parsing library without a clear security boundary related to canonicalization, so the direct impact is that a method returns incorrect data on invalid input. However, this behavior was exploited in practice to bypass SAML signature validation in downstream libraries (see References). ## Credit This vulnerability was responsibly reported by HackerOne researcher `d4d`.	GHSA-wx95-c6cv-8532

Vulnerability

Summary

Aliases

VCID-jfh3-1sgm-7ug2

Nokogiri does not check the return value from xmlC14NExecute ## Summary Nokogiri's CRuby extension fails to check the return value from `xmlC14NExecute` in the method `Nokogiri::XML::Document#canonicalize` and `Nokogiri::XML::Node#canonicalize`. When canonicalization fails, an empty string is returned instead of raising an exception. This incorrect return value may allow downstream libraries to accept invalid or incomplete canonicalized XML, which has been demonstrated to enable signature validation bypass in SAML libraries. JRuby is not affected, as the Java implementation correctly raises `RuntimeError` on canonicalization failure. ## Mitigation Upgrade to Nokogiri `>= 1.19.1`. ## Severity The maintainers have assessed this as **Medium** severity. Nokogiri itself is a parsing library without a clear security boundary related to canonicalization, so the direct impact is that a method returns incorrect data on invalid input. However, this behavior was exploited in practice to bypass SAML signature validation in downstream libraries (see References). ## Credit This vulnerability was responsibly reported by HackerOne researcher `d4d`.

GHSA-wx95-c6cv-8532

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-17T00:18:19.914568+00:00	GitLab Importer	Fixing	VCID-jfh3-1sgm-7ug2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/nokogiri/GHSA-wx95-c6cv-8532.yml	38.4.0
2026-04-12T01:42:38.367097+00:00	GitLab Importer	Fixing	VCID-jfh3-1sgm-7ug2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/nokogiri/GHSA-wx95-c6cv-8532.yml	38.3.0
2026-04-03T01:51:28.186481+00:00	GitLab Importer	Fixing	VCID-jfh3-1sgm-7ug2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/nokogiri/GHSA-wx95-c6cv-8532.yml	38.1.0
2026-04-01T16:08:01.518396+00:00	GHSA Importer	Fixing	VCID-jfh3-1sgm-7ug2	https://github.com/advisories/GHSA-wx95-c6cv-8532	38.0.0
2026-04-01T12:53:53.451447+00:00	GitLab Importer	Fixing	VCID-jfh3-1sgm-7ug2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/nokogiri/GHSA-wx95-c6cv-8532.yml	38.0.0
2026-04-01T12:52:59.166309+00:00	GithubOSV Importer	Fixing	VCID-jfh3-1sgm-7ug2	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-wx95-c6cv-8532/GHSA-wx95-c6cv-8532.json	38.0.0