Search for packages
| purl | pkg:gem/nokogiri@1.6.2.rc2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-22km-jmtd-yyde
Aliases: USN-3424-1 |
Vulnerabilities in libxml2 The version of libxml2 packaged with Nokogiri contains several vulnerabilities. Nokogiri has mitigated these issues by upgrading to libxml It was discovered that a type confusion error existed in libxml2. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-0663) It was discovered that libxml2 did not properly validate parsed entity references. An attacker could use this to specially construct XML data that could expose sensitive information. (CVE-2017-7375) It was discovered that a buffer overflow existed in libxml2 when handling HTTP redirects. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-7376) Marcel Böhme and Van-Thuan Pham discovered a buffer overflow in libxml2 when handling elements. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-9047) Marcel Böhme and Van-Thuan Pham discovered a buffer overread in libxml2 when handling elements. An attacker could use this to specially construct XML data that could cause a denial of service. (CVE-2017-9048) Marcel Böhme and Van-Thuan Pham discovered multiple buffer overreads in libxml2 when handling parameter-entity references. An attacker could use these to specially construct XML data that could cause a denial of service. (CVE-2017-9049, CVE-2017-9050) |
Affected by 42 other vulnerabilities. |
|
VCID-2b1g-gp84-87e8
Aliases: CVE-2015-7499 GHSA-jxjr-5h69-qw3w |
Improper Restriction of Operations within the Bounds of a Memory Buffer Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors. |
Affected by 47 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
VCID-2dje-jsyy-cqbe
Aliases: GMS-2015-42 |
Multiple vulnerabilities in libxml2, libxslt The vendored libxml2 and libxslt libraries have multiple vulnerabilities: CVE-2015-1819 CVE-2015-7941_1 CVE-2015-7941_2 CVE-2015-7942 CVE-2015-7942-2 CVE-2015-8035 CVE-2015-7995 |
Affected by 52 other vulnerabilities. Affected by 50 other vulnerabilities. |
|
VCID-2j62-5rjn-vyeu
Aliases: CVE-2015-8806 GHSA-7hp2-xwpj-95jq |
Uncontrolled Resource Consumption dict.c in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via an unexpected character immediately after the "<!DOCTYPE html" substring in a crafted HTML document. |
Affected by 46 other vulnerabilities. |
|
VCID-365e-j8ta-h7cn
Aliases: GHSA-xc9x-jj77-9p9j GMS-2024-127 |
Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062 ## Summary Nokogiri upgrades its dependency libxml2 as follows: - Nokogiri v1.15.6 upgrades libxml2 to [2.11.7](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.7) from 2.11.6 - Nokogiri v1.16.2 upgrades libxml2 to [2.12.5](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.5) from 2.12.4 libxml2 v2.11.7 and v2.12.5 address the following vulnerability: - CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604 - patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970 Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the _packaged_ libraries are being used. If you've overridden defaults at installation time to use _system_ libraries instead of packaged libraries, you should instead pay attention to your distro's `libxml2` release announcements. JRuby users are not affected. ## Mitigation Upgrade to Nokogiri `~> 1.15.6` or `>= 1.16.2`. Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against patched external libxml2 libraries which will also address these same issues. ## Impact From the CVE description, this issue applies to the `xmlTextReader` module (which underlies `Nokogiri::XML::Reader`): > When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free. ## Timeline - 2024-02-04 10:35 EST - this GHSA is drafted without complete details about when the upstream issue was introduced; a request is made of libxml2 maintainers for more detailed information - 2024-02-04 10:48 EST - updated GHSA to reflect libxml2 maintainers' confirmation of affected versions - 2024-02-04 11:54 EST - v1.16.2 published, this GHSA made public - 2024-02-05 10:18 EST - updated with MITRE link to the CVE information, and updated "Impact" section - 2024-03-16 09:03 EDT - v1.15.6 published (see discussion at https://github.com/sparklemotion/nokogiri/discussions/3146), updated mitigation information - 2024-03-18 22:12 EDT - update "affected products" range with v1.15.6 information |
Affected by 8 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-3f2w-tgya-x3cc
Aliases: CVE-2017-5029 GHSA-pf6m-fxpq-fg8v |
Upstream libxslt vulnerabilities The `xsltAddTextString` function in `transform.c` in libxslt, as used by nokogiri, lacks a check for integer overflow during a size calculation, which allows a remote attacker to perform an out-of-bounds memory write via a crafted HTML page. |
Affected by 45 other vulnerabilities. Affected by 44 other vulnerabilities. |
|
VCID-3n8z-mqjc-6fh9
Aliases: OSVDB-118481 |
XML Document Root Element Handling Memory Consumption Remote DoS This package contains a flaw that is triggered when handling a root element in an XML document. This may allow a remote attacker to cause a consumption of memory resources. |
Affected by 53 other vulnerabilities. |
|
VCID-43qu-922g-myca
Aliases: GHSA-2qc6-mcvw-92cw GMS-2022-5550 |
Update bundled libxml2 to v2.10.3 to resolve multiple CVEs ### Summary Nokogiri v1.13.9 upgrades the packaged version of its dependency libxml2 to [v2.10.3](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.3) from v2.9.14. libxml2 v2.10.3 addresses the following known vulnerabilities: - [CVE-2022-2309](https://nvd.nist.gov/vuln/detail/CVE-2022-2309) - [CVE-2022-40304](https://nvd.nist.gov/vuln/detail/CVE-2022-40304) - [CVE-2022-40303](https://nvd.nist.gov/vuln/detail/CVE-2022-40303) Please note that this advisory only applies to the CRuby implementation of Nokogiri `< 1.13.9`, and only if the _packaged_ libraries are being used. If you've overridden defaults at installation time to use _system_ libraries instead of packaged libraries, you should instead pay attention to your distro's `libxml2` release announcements. ### Mitigation Upgrade to Nokogiri `>= 1.13.9`. Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 `>= 2.10.3` which will also address these same issues. ### Impact #### libxml2 [CVE-2022-2309](https://nvd.nist.gov/vuln/detail/CVE-2022-2309) - **CVSS3 score**: Under evaluation - **Type**: Denial of service - **Description**: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. Nokogiri maintainers investigated at #2620 and determined this CVE does not affect Nokogiri users. #### libxml2 [CVE-2022-40304](https://nvd.nist.gov/vuln/detail/CVE-2022-40304) - **CVSS3 score**: Unspecified upstream - **Type**: Data corruption, denial of service - **Description**: When an entity reference cycle is detected, the entity content is cleared by setting its first byte to zero. But the entity content might be allocated from a dict. In this case, the dict entry becomes corrupted leading to all kinds of logic errors, including memory errors like double-frees. See https://gitlab.gnome.org/GNOME/libxml2/-/commit/644a89e080bced793295f61f18aac8cfad6bece2 #### libxml2 [CVE-2022-40303](https://nvd.nist.gov/vuln/detail/CVE-2022-40303) - **CVSS3 score**: Unspecified upstream - **Type**: Integer overflow - **Description**: Integer overflows with XML_PARSE_HUGE See https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0 ### References - [libxml2 release notes](https://gitlab.gnome.org/GNOME/libxml2/-/releases) - [CVE-2022-2309](https://nvd.nist.gov/vuln/detail/CVE-2022-2309) - [CVE-2022-40304](https://nvd.nist.gov/vuln/detail/CVE-2022-40304) - [CVE-2022-40303](https://nvd.nist.gov/vuln/detail/CVE-2022-40303) |
Affected by 12 other vulnerabilities. |
|
VCID-64c1-dzhs-u3gj
Aliases: CVE-2019-5477 GHSA-cr5j-953j-xw5p |
Nokogiri has a vulnerability allowing arbitrary execution of code if a certain function is used. |
Affected by 34 other vulnerabilities. |
|
VCID-64ca-973e-nfgm
Aliases: GMS-2015-52 |
Vulnerabilities in libxml2 The vendored version of libxml2 is affected by multiple vulnerabilities. |
Affected by 48 other vulnerabilities. |
|
VCID-6r5w-pgkx-v3cb
Aliases: GHSA-353f-x4gh-cqq8 |
Nokogiri patches vendored libxml2 to resolve multiple CVEs ## Summary Nokogiri v1.18.9 patches the vendored libxml2 to address CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795, and CVE-2025-49796. ## Impact and severity ### CVE-2025-6021 A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input. NVD claims a severity of 7.5 High (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/17d950ae ### CVE-2025-6170 A flaw was found in the interactive shell of the xmllint command-line tool, used for parsing XML files. When a user inputs an overly long command, the program does not check the input size properly, which can cause it to crash. This issue might allow attackers to run harmful code in rare configurations without modern protections. NVD claims a severity of 2.5 Low (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L) Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/5e9ec5c1 ### CVE-2025-49794 A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors. NVD claims a severity of 9.1 Critical (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5 ### CVE-2025-49795 A NULL pointer dereference vulnerability was found in libxml2 when processing XPath XML expressions. This flaw allows an attacker to craft a malicious XML input to libxml2, leading to a denial of service. NVD claims a severity of 7.5 High (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/62048278 ### CVE-2025-49796 A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory. NVD claims a severity of 9.1 Critical (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5 ## Affected Versions - Nokogiri < 1.18.9 when using CRuby (MRI) with vendored libxml2 ## Patched Versions - Nokogiri >= 1.18.9 ## Mitigation Upgrade to Nokogiri v1.18.9 or later. Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against patched external libxml2 libraries which will also address these same issues. ## References - https://github.com/sparklemotion/nokogiri/pull/3526 - https://nvd.nist.gov/vuln/detail/CVE-2025-6021 - https://nvd.nist.gov/vuln/detail/CVE-2025-6170 - https://nvd.nist.gov/vuln/detail/CVE-2025-49794 - https://nvd.nist.gov/vuln/detail/CVE-2025-49795 - https://nvd.nist.gov/vuln/detail/CVE-2025-49796 |
Affected by 1 other vulnerability. |
|
VCID-7bpp-2hvk-2udv
Aliases: CVE-2020-24977 |
Multiple vulnerabilities have been found in libxml2, the worst of which could result in a Denial of Service condition. |
Affected by 24 other vulnerabilities. |
|
VCID-8geh-vfns-pfgs
Aliases: CVE-2021-41098 GHSA-2rr5-8q37-2w7h |
Improper Restriction of XML External Entity Reference Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri. |
Affected by 23 other vulnerabilities. |
|
VCID-96v6-vs1m-skf3
Aliases: CVE-2019-13118 GHSA-cf46-6xxh-pc75 |
Improper Input Validation In `numbers.c` in libxslt, which is used by nokogiri, a type holding grouping characters of an `xsl:number` instruction was too narrow and an invalid character/length combination could be passed to `xsltNumberFormatDecimal`, leading to a read of uninitialized stack data. |
Affected by 32 other vulnerabilities. |
|
VCID-9hqf-12yh-bkc8
Aliases: CVE-2021-3518 GHSA-v4f8-2847-rwm7 |
Multiple vulnerabilities have been found in libxml2, the worst of which could result in a Denial of Service condition. |
Affected by 24 other vulnerabilities. |
|
VCID-9p2f-ynzb-r3gj
Aliases: CVE-2015-5312 GHSA-xjqg-9jvg-fgx2 |
Vulnerabilities in libxml2 Several vulnerabilities were discovered in the libxml2 library that this package gem depends on. |
Affected by 48 other vulnerabilities. |
|
VCID-9wgc-swf9-z7hq
Aliases: CVE-2022-24836 GHSA-crjr-9rc5-ghw8 |
Inefficient Regular Expression Complexity Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for this issue. |
Affected by 16 other vulnerabilities. |
|
VCID-azzy-m5pc-qudn
Aliases: CVE-2017-16932 GHSA-x2fm-93ww-ggvx |
Loop with Unreachable Exit Condition ('Infinite Loop') parser.c in libxml2 does not prevent infinite recursion in parameter entities. |
Affected by 42 other vulnerabilities. |
|
VCID-b5tz-9s1v-pkg7
Aliases: CVE-2015-1819 GHSA-q7wx-62r7-j2x7 |
Vulnerabilities in libxml2 and libxslt Several vulnerabilities were discovered in the libxml2 and libxslt libraries that this package gem depends on. |
Affected by 50 other vulnerabilities. Affected by 50 other vulnerabilities. |
|
VCID-bejh-22y7-kuh6
Aliases: CVE-2018-14404 GHSA-6qvp-r6r3-9p7h |
NULL Pointer Dereference A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application. |
Affected by 38 other vulnerabilities. |
|
VCID-c6hb-sbhx-zqac
Aliases: GHSA-r3w4-36x6-7r99 |
Duplicate Advisory: Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459 ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-r95h-9x8f-r3f7. This link is maintained to preserve external references. ## Original Description ## Summary Nokogiri v1.16.5 upgrades its dependency libxml2 to [2.12.7](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7) from 2.12.6. libxml2 v2.12.7 addresses CVE-2024-34459: - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/720 - patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac53 ## Impact There is no impact to Nokogiri users because the issue is present only in libxml2's `xmllint` tool which Nokogiri does not provide or expose. ## Timeline - 2024-05-13 05:57 EDT, libxml2 2.12.7 release is announced - 2024-05-13 08:30 EDT, nokogiri maintainers begin triage - 2024-05-13 10:05 EDT, nokogiri [v1.16.5 is released](https://github.com/sparklemotion/nokogiri/releases/tag/v1.16.5) and this GHSA made public |
Affected by 6 other vulnerabilities. |
|
VCID-cbm2-cez4-bqgh
Aliases: CVE-2022-23308 |
Use After Free `valid.c` in libxml2 before 2.9.13 has a use-after-free of `ID` and `IDREF` attributes. |
Affected by 21 other vulnerabilities. |
|
VCID-eb6k-ppfd-m7a3
Aliases: CVE-2022-40304 |
Multiple vulnerabilities have been found in libxml2, the worst of which could result in arbitrary code execution. |
Affected by 12 other vulnerabilities. |
|
VCID-ecde-c15q-ukh1
Aliases: CVE-2016-4658 GHSA-fr52-4hqw-p27f |
Improper Restriction of Operations within the Bounds of a Memory Buffer xpointer.c in libxml2 (as used in Apple iOS, OS X, tvOS, and watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document. |
Affected by 45 other vulnerabilities. |
|
VCID-ek5d-m9pn-3fec
Aliases: CVE-2021-3517 GHSA-jw9f-hh49-cvp9 |
Multiple vulnerabilities have been found in libxml2, the worst of which could result in a Denial of Service condition. |
Affected by 24 other vulnerabilities. |
|
VCID-ghbk-uumc-dug3
Aliases: GHSA-r95h-9x8f-r3f7 |
Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459 ## Summary Nokogiri v1.16.5 upgrades its dependency libxml2 to [2.12.7](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7) from 2.12.6. libxml2 v2.12.7 addresses CVE-2024-34459: - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/720 - patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac53 ## Impact There is no impact to Nokogiri users because the issue is present only in libxml2's `xmllint` tool which Nokogiri does not provide or expose. ## Timeline - 2024-05-13 05:57 EDT, libxml2 2.12.7 release is announced - 2024-05-13 08:30 EDT, nokogiri maintainers begin triage - 2024-05-13 10:05 EDT, nokogiri [v1.16.5 is released](https://github.com/sparklemotion/nokogiri/releases/tag/v1.16.5) and this GHSA made public |
Affected by 6 other vulnerabilities. |
|
VCID-gsar-pymk-43hs
Aliases: GHSA-v6gp-9mmm-c6p5 GMS-2022-787 |
Out-of-bounds Write in zlib affects Nokogiri ## Summary Nokogiri v1.13.4 updates the vendored zlib from 1.2.11 to 1.2.12, which addresses [CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032). That CVE is scored as CVSS 7.4 "High" on the NVD record as of 2022-04-05. Please note that this advisory only applies to the CRuby implementation of Nokogiri `< 1.13.4`, and only if the packaged version of `zlib` is being used. Please see [this document](https://nokogiri.org/LICENSE-DEPENDENCIES.html#default-platform-release-ruby) for a complete description of which platform gems vendor `zlib`. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's `zlib` release announcements. ## Mitigation Upgrade to Nokogiri `>= v1.13.4`. ## Impact ### [CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032) in zlib - **Severity**: High - **Type**: [CWE-787](https://cwe.mitre.org/data/definitions/787.html) Out of bounds write - **Description**: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. |
Affected by 16 other vulnerabilities. |
|
VCID-hzjv-gf8n-jka2
Aliases: GHSA-vcc3-rw6f-jv97 |
Duplicate Advisory: Use-after-free in libxml2 via Nokogiri::XML::Reader # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xc9x-jj77-9p9j. This link is maintained to preserve external references. # Original Description ### Summary Nokogiri upgrades its dependency libxml2 as follows: - v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6 - v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4 libxml2 v2.11.7 and v2.12.5 address the following vulnerability: CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604 - patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970 Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements. JRuby users are not affected. ### Severity The Nokogiri maintainers have evaluated this as **Moderate**. ### Impact From the CVE description, this issue applies to the `xmlTextReader` module (which underlies `Nokogiri::XML::Reader`): > When using the XML Reader interface with DTD validation and XInclude expansion enabled, > processing crafted XML documents can lead to an xmlValidatePopElement use-after-free. ### Mitigation Upgrade to Nokogiri `~> 1.15.6` or `>= 1.16.2`. Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against patched external libxml2 libraries which will also address these same issues. |
Affected by 8 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-jfh3-1sgm-7ug2
Aliases: GHSA-wx95-c6cv-8532 |
Nokogiri does not check the return value from xmlC14NExecute ## Summary Nokogiri's CRuby extension fails to check the return value from `xmlC14NExecute` in the method `Nokogiri::XML::Document#canonicalize` and `Nokogiri::XML::Node#canonicalize`. When canonicalization fails, an empty string is returned instead of raising an exception. This incorrect return value may allow downstream libraries to accept invalid or incomplete canonicalized XML, which has been demonstrated to enable signature validation bypass in SAML libraries. JRuby is not affected, as the Java implementation correctly raises `RuntimeError` on canonicalization failure. ## Mitigation Upgrade to Nokogiri `>= 1.19.1`. ## Severity The maintainers have assessed this as **Medium** severity. Nokogiri itself is a parsing library without a clear security boundary related to canonicalization, so the direct impact is that a method returns incorrect data on invalid input. However, this behavior was exploited in practice to bypass SAML signature validation in downstream libraries (see References). ## Credit This vulnerability was responsibly reported by HackerOne researcher `d4d`. |
Affected by 0 other vulnerabilities. |
|
VCID-jqdg-ebz9-t3e9
Aliases: GHSA-xxx9-3xcr-gjj3 GMS-2022-788 |
XML Injection in Xerces Java affects Nokogiri ## Summary Nokogiri v1.13.4 updates the vendored `xerces:xercesImpl` from 2.12.0 to 2.12.2, which addresses [CVE-2022-23437](https://nvd.nist.gov/vuln/detail/CVE-2022-23437). That CVE is scored as CVSS 6.5 "Medium" on the NVD record. Please note that this advisory only applies to the **JRuby** implementation of Nokogiri `< 1.13.4`. ## Mitigation Upgrade to Nokogiri `>= v1.13.4`. ## Impact ### [CVE-2022-23437](https://nvd.nist.gov/vuln/detail/CVE-2022-23437) in xerces-J - **Severity**: Medium - **Type**: [CWE-91](https://cwe.mitre.org/data/definitions/91.html) XML Injection (aka Blind XPath Injection) - **Description**: There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions. - **See also**: https://github.com/advisories/GHSA-h65f-jvqw-m9fj |
Affected by 16 other vulnerabilities. |
|
VCID-m7km-hbm9-23h4
Aliases: GHSA-cgx6-hpwq-fhv5 GMS-2022-1438 |
Integer Overflow or Wraparound in libxml2 affects Nokogiri ### Summary Nokogiri v1.13.5 upgrades the packaged version of its dependency libxml2 from v2.9.13 to [v2.9.14](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.9.14). libxml2 v2.9.14 addresses [CVE-2022-29824](https://nvd.nist.gov/vuln/detail/CVE-2022-29824). This version also includes several security-related bug fixes for which CVEs were not created, including a potential double-free, potential memory leaks, and integer-overflow. Please note that this advisory only applies to the CRuby implementation of Nokogiri `< 1.13.5`, and only if the _packaged_ libraries are being used. If you've overridden defaults at installation time to use _system_ libraries instead of packaged libraries, you should instead pay attention to your distro's `libxml2` and `libxslt` release announcements. ### Mitigation Upgrade to Nokogiri `>= 1.13.5`. Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 `>= 2.9.14` which will also address these same issues. ### Impact #### libxml2 [CVE-2022-29824](https://nvd.nist.gov/vuln/detail/CVE-2022-29824) - **CVSS3 score**: - Unspecified upstream - Nokogiri maintainers evaluate at 8.6 (High) ([CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H)). Note that this is different from the CVSS assessed by NVD. - **Type**: Denial of service, information disclosure - **Description**: In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well. - **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/-/commit/2554a24 All versions of libml2 prior to v2.9.14 are affected. Applications parsing or serializing multi-gigabyte documents (in excess of INT_MAX bytes) may be vulnerable to an integer overflow bug in buffer handling that could lead to exposure of confidential data, modification of unrelated data, or a segmentation fault resulting in a denial-of-service. ### References - [libxml2 v2.9.14 release notes](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.9.14) - [CVE-2022-29824](https://nvd.nist.gov/vuln/detail/CVE-2022-29824) - [CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer](https://cwe.mitre.org/data/definitions/119.html) |
Affected by 15 other vulnerabilities. |
|
VCID-n6za-rwad-tbaq
Aliases: GHSA-7rrm-v45f-jp64 GMS-2021-171 |
Nokogiri updates packaged dependency on libxml2 from 2.9.10 to 2.9.12 ### Summary Nokogiri v1.11.4 updates the vendored libxml2 from v2.9.10 to v2.9.12 which addresses: - [CVE-2019-20388](https://security.archlinux.org/CVE-2019-20388) (Medium severity) - [CVE-2020-24977](https://security.archlinux.org/CVE-2020-24977) (Medium severity) - [CVE-2021-3517](https://security.archlinux.org/CVE-2021-3517) (Medium severity) - [CVE-2021-3518](https://security.archlinux.org/CVE-2021-3518) (Medium severity) - [CVE-2021-3537](https://security.archlinux.org/CVE-2021-3537) (Low severity) - [CVE-2021-3541](https://security.archlinux.org/CVE-2021-3541) (Low severity) Note that two additional CVEs were addressed upstream but are not relevant to this release. [CVE-2021-3516](https://security.archlinux.org/CVE-2021-3516) via `xmllint` is not present in Nokogiri, and [CVE-2020-7595](https://security.archlinux.org/CVE-2020-7595) has been patched in Nokogiri since v1.10.8 (see #1992). Please note that this advisory only applies to the CRuby implementation of Nokogiri `< 1.11.4`, and only if the packaged version of libxml2 is being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's `libxml2` release announcements. ### Mitigation Upgrade to Nokogiri `>= 1.11.4`. ### Impact I've done a brief analysis of the published CVEs that are addressed in this upstream release. The libxml2 maintainers have not released a canonical set of CVEs, and so this list is pieced together from secondary sources and may be incomplete. All information below is sourced from [security.archlinux.org](https://security.archlinux.org), which appears to have the most up-to-date information as of this analysis. #### [CVE-2019-20388](https://security.archlinux.org/CVE-2019-20388) - **Severity**: Medium - **Type**: Denial of service - **Description**: A memory leak was found in the xmlSchemaValidateStream function of libxml2. Applications that use this library may be vulnerable to memory not being freed leading to a denial of service. - **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/commit/7ffcd44d7e6c46704f8af0321d9314cd26e0e18a Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4. #### [CVE-2020-7595](https://security.archlinux.org/CVE-2020-7595) - **Severity**: Medium - **Type**: Denial of service - **Description**: xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. - **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c8907645d2e155f0d89d4d9895ac5112b5 This has been patched in Nokogiri since v1.10.8 (see #1992). #### [CVE-2020-24977](https://security.archlinux.org/CVE-2020-24977) - **Severity**: Medium - **Type**: Information disclosure - **Description**: GNOME project libxml2 <= 2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. - **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2 Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4. #### [CVE-2021-3516](https://security.archlinux.org/CVE-2021-3516) - **Severity**: Medium - **Type**: Arbitrary code execution (no remote vector) - **Description**: A use-after-free security issue was found libxml2 before version 2.9.11 when "xmllint --html --push" is used to process crafted files. - **Issue**: https://gitlab.gnome.org/GNOME/libxml2/-/issues/230 - **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9fac0b539 Verified that the fix commit first appears in v2.9.11. This vector does not exist within Nokogiri, which does not ship `xmllint`. #### [CVE-2021-3517](https://security.archlinux.org/CVE-2021-3517) - **Severity**: Medium - **Type**: Arbitrary code execution - **Description**: A heap-based buffer overflow was found in libxml2 before version 2.9.11 when processing truncated UTF-8 input. - **Issue**: https://gitlab.gnome.org/GNOME/libxml2/-/issues/235 - **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2 Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4. #### [CVE-2021-3518](https://security.archlinux.org/CVE-2021-3518) - **Severity**: Medium - **Type**: Arbitrary code execution - **Description**: A use-after-free security issue was found in libxml2 before version 2.9.11 in xmlXIncludeDoProcess() in xinclude.c when processing crafted files. - **Issue**: https://gitlab.gnome.org/GNOME/libxml2/-/issues/237 - **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1098c30a040e72a4654968547f415be4e4c40fe7 Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4. #### [CVE-2021-3537](https://security.archlinux.org/CVE-2021-3537) - **Severity**: Low - **Type**: Denial of service - **Description**: It was found that libxml2 before version 2.9.11 did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. - **Issue**: https://gitlab.gnome.org/GNOME/libxml2/-/issues/243 - **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/-/commit/babe75030c7f64a37826bb3342317134568bef61 Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4. #### [CVE-2021-3541](https://security.archlinux.org/CVE-2021-3541) - **Severity**: Low - **Type**: Denial of service - **Description**: A security issue was found in libxml2 before version 2.9.11. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service. - **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4, however Nokogiri's default parse options prevent the attack from succeeding (it is necessary to opt into `DTDLOAD` which is off by default). For more details supporting this analysis of this CVE, please visit #2233. |
Affected by 24 other vulnerabilities. |
|
VCID-nq12-ryyt-c7g9
Aliases: GHSA-fq42-c5rg-92c2 GMS-2022-163 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in nokogiri. |
Affected by 21 other vulnerabilities. |
|
VCID-q732-nexj-1ue6
Aliases: GHSA-5mwf-688x-mr7x |
Duplicate Advisory: Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171 # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-vvfq-8hwr-qm4m. This link is maintained to preserve external references. # Original Description ## Summary Nokogiri v1.18.3 upgrades its dependency libxml2 to [v2.13.6](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.6). libxml2 v2.13.6 addresses: - CVE-2025-24928 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847 - CVE-2024-56171 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828 ## Impact ### CVE-2025-24928 Stack-buffer overflow is possible when reporting DTD validation errors if the input contains a long (~3kb) QName prefix. ### CVE-2024-56171 Use-after-free is possible during validation against untrusted XML Schemas (.xsd) and, potentially, validation of untrusted documents against trusted Schemas if they make use of `xsd:keyref` in combination with recursively defined types that have additional identity constraints. |
Affected by 4 other vulnerabilities. |
|
VCID-qv3r-ppuc-zycz
Aliases: CVE-2020-7595 GHSA-7553-jr98-vx47 |
libxml as used in Nokogiri has an infinite loop in a certain end-of-file situation xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. The Nokogiri RubyGem has patched its vendored copy of libxml2 in order to prevent this issue from affecting nokogiri. |
Affected by 31 other vulnerabilities. |
|
VCID-rsvx-3f49-v3an
Aliases: CVE-2021-3541 |
Improper Restriction of Recursive Entity References in DTDs (XML Entity Expansion) A flaw was found in libxml2. By exploiting an exponential entity expansion attack its possible bypassing all existing protection mechanisms and lead to a denial of service. |
Affected by 24 other vulnerabilities. |
|
VCID-snr1-kaug-43aa
Aliases: CVE-2022-29181 GHSA-xh29-r2w5-wx8m |
Multiple vulnerabilities have been discovered in Nokogiri, the worst of which could result in denial of service. |
Affected by 14 other vulnerabilities. |
|
VCID-sqa5-8yrd-qyfz
Aliases: CVE-2018-8048 GHSA-x7rv-cr6v-4vm4 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') In the Loofah gem for Ruby, denylisted HTML attributes may occur in sanitized output by republishing a crafted HTML fragment. |
Affected by 39 other vulnerabilities. |
|
VCID-sxp3-vtcq-pugw
Aliases: CVE-2019-18197 GHSA-242x-7cm6-4w8j |
Nokogiri affected by libxslt Use of Uninitialized Resource/Use After Free vulnerability In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed. Nokogiri prior to version 1.10.5 contains a vulnerable version of libxslt. Nokogiri version 1.10.5 upgrades the dependency to libxslt 1.1.34, which contains a patch for this issue. |
Affected by 32 other vulnerabilities. |
|
VCID-tdt5-asvh-ryaa
Aliases: CVE-2019-11068 GHSA-qxcg-xjjg-66mj |
Bypass of a protection mechanism in libxslt The libxslt binary, which is included in nokogiri, allows bypass of a protection mechanism because callers of `xsltCheckRead` and `xsltCheckWrite` permit access even upon receiving a -1 error code. `xsltCheckRead` can return -1 for a crafted URL that is not actually invalid and is subsequently loaded. |
Affected by 37 other vulnerabilities. Affected by 34 other vulnerabilities. |
|
VCID-tn87-vke6-kuf6
Aliases: CVE-2017-15412 GHSA-r58r-74gx-6wx3 |
Use After Free Use after free in libxml2, as used in Google Chrome and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
Affected by 40 other vulnerabilities. |
|
VCID-txm2-sdc1-7uch
Aliases: CVE-2019-13117 GHSA-4hm9-844j-jmxp |
Improper Input Validation In `numbers.c` in libxslt, which is used by nokogiri, an `xsl:number` with certain format strings could lead to an uninitialized read in `xsltNumberFormatInsertNumbers`. This could allow an attacker to discern whether a byte on the stack contains the characters `[AaIi0]`, or any other character. |
Affected by 32 other vulnerabilities. |
|
VCID-u8gx-xbj9-97c7
Aliases: GHSA-gx8x-g87m-h5q6 GMS-2022-786 |
Denial of Service (DoS) in Nokogiri on JRuby ## Summary Nokogiri `v1.13.4` updates the vendored `org.cyberneko.html` library to `1.9.22.noko2` which addresses [CVE-2022-24839](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv). That CVE is rated 7.5 (High Severity). See [GHSA-9849-p7jc-9rmv](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv) for more information. Please note that this advisory only applies to the **JRuby** implementation of Nokogiri `< 1.13.4`. ## Mitigation Upgrade to Nokogiri `>= 1.13.4`. ## Impact ### [CVE-2022-24839](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv) in nekohtml - **Severity**: High 7.5 - **Type**: [CWE-400](https://cwe.mitre.org/data/definitions/400.html) Uncontrolled Resource Consumption - **Description**: The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup. - **See also**: [GHSA-9849-p7jc-9rmv](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv) |
Affected by 16 other vulnerabilities. |
|
VCID-udew-3gre-13hy
Aliases: CVE-2022-40303 |
Multiple vulnerabilities have been found in libxml2, the worst of which could result in arbitrary code execution. |
Affected by 12 other vulnerabilities. |
|
VCID-uf9q-1ds5-wbev
Aliases: GHSA-mrxw-mxhj-p664 |
Nokogiri updates packaged libxslt to v1.1.43 to resolve multiple CVEs ## Summary Nokogiri v1.18.4 upgrades its dependency libxslt to [v1.1.43](https://gitlab.gnome.org/GNOME/libxslt/-/releases/v1.1.43). libxslt v1.1.43 resolves: - CVE-2025-24855: Fix use-after-free of XPath context node - CVE-2024-55549: Fix UAF related to excluded namespaces ## Impact ### CVE-2025-24855 - "Use-after-free due to xsltEvalXPathStringNs leaking xpathCtxt->node" - MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H - Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/128 - NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2025-24855 ### CVE-2024-55549 - "Use-after-free related to excluded result prefixes" - MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H - Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/127 - NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2024-55549 |
Affected by 3 other vulnerabilities. |
|
VCID-v226-z8ay-sue4
Aliases: GMS-2015-43 |
Unsafe parsing of unclosed comments Parsing an unclosed comment can result in `Conditional jump or move depends on uninitialised value(s)` and unsafe memory access. |
Affected by 50 other vulnerabilities. Affected by 50 other vulnerabilities. |
|
VCID-vf7b-s3y3-sfhw
Aliases: CVE-2021-3537 GHSA-286v-pcf5-25rc |
Multiple vulnerabilities have been found in libxml2, the worst of which could result in a Denial of Service condition. |
Affected by 24 other vulnerabilities. |
|
VCID-vhyk-9tbb-quc3
Aliases: CVE-2020-26247 GHSA-vr8q-g5c7-m54m |
Nokogiri::XML::Schema trusts input by default, exposing risk of XXE vulnerability ### Severity Nokogiri maintainers have evaluated this as [__Low Severity__ (CVSS3 2.6)](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N). ### Description In Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by `Nokogiri::XML::Schema` are **trusted** by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as **untrusted** by default whenever possible. Please note that this security fix was pushed into a new minor version, 1.11.x, rather than a patch release to the 1.10.x branch, because it is a breaking change for some schemas and the risk was assessed to be "Low Severity". ### Affected Versions Nokogiri `<= 1.10.10` as well as prereleases `1.11.0.rc1`, `1.11.0.rc2`, and `1.11.0.rc3` ### Mitigation There are no known workarounds for affected versions. Upgrade to Nokogiri `1.11.0.rc4` or later. If, after upgrading to `1.11.0.rc4` or later, you wish to re-enable network access for resolution of external resources (i.e., return to the previous behavior): 1. Ensure the input is trusted. Do not enable this option for untrusted input. 2. When invoking the `Nokogiri::XML::Schema` constructor, pass as the second parameter an instance of `Nokogiri::XML::ParseOptions` with the `NONET` flag turned off. So if your previous code was: ``` ruby # in v1.11.0.rc3 and earlier, this call allows resources to be accessed over the network # but in v1.11.0.rc4 and later, this call will disallow network access for external resources schema = Nokogiri::XML::Schema.new(schema) # in v1.11.0.rc4 and later, the following is equivalent to the code above # (the second parameter is optional, and this demonstrates its default value) schema = Nokogiri::XML::Schema.new(schema, Nokogiri::XML::ParseOptions::DEFAULT_SCHEMA) ``` Then you can add the second parameter to indicate that the input is trusted by changing it to: ``` ruby # in v1.11.0.rc3 and earlier, this would raise an ArgumentError # but in v1.11.0.rc4 and later, this allows resources to be accessed over the network schema = Nokogiri::XML::Schema.new(trusted_schema, Nokogiri::XML::ParseOptions.new.nononet) ``` ### References - [This issue's public advisory](https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m) - [Original Hackerone report (private)](https://hackerone.com/reports/747489) - [OWASP description of XXE attack](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing) - [OWASP description of SSRF attack](https://www.owasp.org/index.php/Server_Side_Request_Forgery) ### Credit This vulnerability was independently reported by @eric-therond and @gucki. The Nokogiri maintainers would like to thank [HackerOne](https://hackerone.com/nokogiri) for providing a secure, responsible mechanism for reporting, and for providing their fantastic service to us. |
Affected by 29 other vulnerabilities. |
|
VCID-w8jf-tsmr-g7cd
Aliases: GHSA-5w6v-399v-w3cc |
Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415 ## Summary Nokogiri v1.18.8 upgrades its dependency libxml2 to [v2.13.8](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.8). libxml2 v2.13.8 addresses: - CVE-2025-32414 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/889 - CVE-2025-32415 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/890 ## Impact ### CVE-2025-32414: No impact In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters. **There is no impact** from this CVE for Nokogiri users. ### CVE-2025-32415: Low impact In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used. In the upstream issue, further context is provided by the maintainer: > The bug affects validation against untrusted XML Schemas (.xsd) and validation of untrusted > documents against trusted Schemas if they make use of xsd:keyref in combination with recursively > defined types that have additional identity constraints. MITRE has published a severity score of 2.9 LOW (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) for this CVE. |
Affected by 2 other vulnerabilities. |
|
VCID-wc4g-sxyq-ubcd
Aliases: CVE-2017-18258 GHSA-882p-jqgm-f45g |
Allocation of Resources Without Limits or Throttling The xz_head function in xzlib.c in libxml2 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file. |
Affected by 40 other vulnerabilities. |
|
VCID-xd6j-x83x-r3gn
Aliases: CVE-2018-25032 GHSA-jc36-42cf-vqwj |
Out-of-bounds Write zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. |
Affected by 16 other vulnerabilities. |
|
VCID-y5vb-sn4p-eqd9
Aliases: GHSA-pxvg-2qj5-37jq GMS-2023-1115 |
Nokogiri updates packaged libxml2 to v2.10.4 to resolve multiple CVEs ### Summary Nokogiri v1.14.3 upgrades the packaged version of its dependency libxml2 to [v2.10.4](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.4) from v2.10.3. libxml2 v2.10.4 addresses the following known vulnerabilities: - [CVE-2023-29469](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29469): Hashing of empty dict strings isn't deterministic - [CVE-2023-28484](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28484): Fix null deref in xmlSchemaFixupComplexType - Schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK Please note that this advisory only applies to the CRuby implementation of Nokogiri `< 1.14.3`, and only if the _packaged_ libraries are being used. If you've overridden defaults at installation time to use _system_ libraries instead of packaged libraries, you should instead pay attention to your distro's `libxml2` release announcements. ### Mitigation Upgrade to Nokogiri `>= 1.14.3`. Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 `>= 2.10.4` which will also address these same issues. ### Impact No public information has yet been published about the security-related issues other than the upstream commits. Examination of those changesets indicate that the more serious issues relate to libxml2 dereferencing NULL pointers and potentially segfaulting while parsing untrusted inputs. The commits can be examined at: - [[CVE-2023-29469] Hashing of empty dict strings isn't deterministic (09a2dd45) · Commits · GNOME / libxml2 · GitLab](https://gitlab.gnome.org/GNOME/libxml2/-/commit/09a2dd453007f9c7205274623acdd73747c22d64) - [[CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType (647e072e) · Commits · GNOME / libxml2 · GitLab](https://gitlab.gnome.org/GNOME/libxml2/-/commit/647e072ea0a2f12687fa05c172f4c4713fdb0c4f) - [schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK (4c6922f7) · Commits · GNOME / libxml2 · GitLab](https://gitlab.gnome.org/GNOME/libxml2/-/commit/4c6922f763ad958c48ff66f82823ae21f2e92ee6) |
Affected by 10 other vulnerabilities. |
|
VCID-yeku-1zjh-kbea
Aliases: GHSA-vvfq-8hwr-qm4m |
Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171 ## Summary Nokogiri v1.18.3 upgrades its dependency libxml2 to [v2.13.6](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.6). libxml2 v2.13.6 addresses: - CVE-2025-24928 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847 - CVE-2024-56171 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828 ## Impact ### CVE-2025-24928 Stack-buffer overflow is possible when reporting DTD validation errors if the input contains a long (~3kb) QName prefix. ### CVE-2024-56171 Use-after-free is possible during validation against untrusted XML Schemas (.xsd) and, potentially, validation of untrusted documents against trusted Schemas if they make use of `xsd:keyref` in combination with recursively defined types that have additional identity constraints. |
Affected by 4 other vulnerabilities. |
|
VCID-zwzs-qztz-wbfj
Aliases: CVE-2019-5815 GHSA-vmfx-gcfq-wvm2 |
Multiple vulnerabilities have been found in Chromium and Google Chrome, the worst of which could allow remote attackers to execute arbitrary code. |
Affected by 34 other vulnerabilities. Affected by 32 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||