Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:gem/nokogiri@1.10.5
Typegem
Namespace
Namenokogiri
Version1.10.5
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version1.19.3
Latest_non_vulnerable_version1.19.3
Affected_by_vulnerabilities
0
url VCID-1sh8-bsk3-auct
vulnerability_id VCID-1sh8-bsk3-auct
summary libxml2 has a global Buffer Overflow vulnerability in `xmlEncodeEntitiesInternal` at `libxml2/entities.c`.
references
0
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00036.html
reference_id
reference_type
scores
url http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00036.html
1
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00061.html
reference_id
reference_type
scores
url http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00061.html
2
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-24977.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-24977.json
3
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-24977
reference_id
reference_type
scores
0
value 0.00697
scoring_system epss
scoring_elements 0.72316
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-24977
4
reference_url https://gitlab.gnome.org/GNOME/libxml2/-/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2
reference_id
reference_type
scores
url https://gitlab.gnome.org/GNOME/libxml2/-/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2
5
reference_url https://gitlab.gnome.org/GNOME/libxml2/-/issues/178
reference_id
reference_type
scores
url https://gitlab.gnome.org/GNOME/libxml2/-/issues/178
6
reference_url https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
7
reference_url https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html
reference_id
reference_type
scores
url https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html
8
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2NQ5GTDYOVH26PBCPYXXMGW5ZZXWMGZC/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2NQ5GTDYOVH26PBCPYXXMGW5ZZXWMGZC/
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5KTUAGDLEHTH6HU66HBFAFTSQ3OKRAN3/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5KTUAGDLEHTH6HU66HBFAFTSQ3OKRAN3/
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/674LQPJO2P2XTBTREFR5LOZMBTZ4PZAY/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/674LQPJO2P2XTBTREFR5LOZMBTZ4PZAY/
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7KQXOHIE3MNY3VQXEN7LDQUJNIHOVHAW/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7KQXOHIE3MNY3VQXEN7LDQUJNIHOVHAW/
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ENEHQIBMSI6TZVS35Y6I4FCTYUQDLJVP/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ENEHQIBMSI6TZVS35Y6I4FCTYUQDLJVP/
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H3IQ7OQXBKWD3YP7HO6KCNOMLE5ZO2IR/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H3IQ7OQXBKWD3YP7HO6KCNOMLE5ZO2IR/
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J3ICASXZI2UQYFJAOQWHSTNWGED3VXOE/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J3ICASXZI2UQYFJAOQWHSTNWGED3VXOE/
15
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCHXIWR5DHYO3RSO7RAHEC6VJKXD2EH2/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCHXIWR5DHYO3RSO7RAHEC6VJKXD2EH2/
16
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7MEWYKIKMV2SKMGH4IDWVU3ZGJXBCPQ/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7MEWYKIKMV2SKMGH4IDWVU3ZGJXBCPQ/
17
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RIQAMBA2IJUTQG5VOP5LZVIZRNCKXHEQ/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RIQAMBA2IJUTQG5VOP5LZVIZRNCKXHEQ/
18
reference_url https://security.gentoo.org/glsa/202107-05
reference_id
reference_type
scores
url https://security.gentoo.org/glsa/202107-05
19
reference_url https://security.netapp.com/advisory/ntap-20200924-0001/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20200924-0001/
20
reference_url https://www.oracle.com/security-alerts/cpuoct2021.html
reference_id
reference_type
scores
url https://www.oracle.com/security-alerts/cpuoct2021.html
21
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1877788
reference_id 1877788
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1877788
22
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969529
reference_id 969529
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969529
23
reference_url https://security.archlinux.org/ASA-202011-15
reference_id ASA-202011-15
reference_type
scores
url https://security.archlinux.org/ASA-202011-15
24
reference_url https://security.archlinux.org/AVG-1263
reference_id AVG-1263
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-1263
25
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-24977
reference_id CVE-2020-24977
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2020-24977
26
reference_url https://access.redhat.com/errata/RHSA-2021:1597
reference_id RHSA-2021:1597
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:1597
fixed_packages
0
url pkg:gem/nokogiri@1.11.4
purl pkg:gem/nokogiri@1.11.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-chdv-jk6d-uuga
1
vulnerability VCID-d13x-y75t-2ugx
2
vulnerability VCID-p6m6-7kgc-y3g8
3
vulnerability VCID-pb6j-zdqw-g7cj
4
vulnerability VCID-pr2j-1118-hqaa
5
vulnerability VCID-q3td-7t4g-57ba
6
vulnerability VCID-qkq6-n1ds-x7e5
7
vulnerability VCID-wnj6-hc4g-ykfs
8
vulnerability VCID-yrjg-2aw9-effx
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.11.4
aliases CVE-2020-24977
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1sh8-bsk3-auct
1
url VCID-2r85-egs8-4be3
vulnerability_id VCID-2r85-egs8-4be3
summary 
Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
### Description

In Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by `Nokogiri::XML::Schema`
are **trusted** by default, allowing external resources to be accessed over the
network, potentially enabling XXE or SSRF attacks.

This behavior is counter to
the security policy followed by Nokogiri maintainers, which is to treat all input
as **untrusted** by default whenever possible.

Please note that this security
fix was pushed into a new minor version, 1.11.x, rather than a patch release to
the 1.10.x branch, because it is a breaking change for some schemas and the risk
was assessed to be "Low Severity".

### Affected Versions

Nokogiri `<= 1.10.10` as well as prereleases `1.11.0.rc1`, `1.11.0.rc2`, and `1.11.0.rc3`

### Mitigation

There are no known workarounds for affected versions. Upgrade to Nokogiri
`1.11.0.rc4` or later.

If, after upgrading to `1.11.0.rc4` or later, you wish
to re-enable network access for resolution of external resources (i.e., return to
the previous behavior):

1. Ensure the input is trusted. Do not enable this option
for untrusted input.
2. When invoking the `Nokogiri::XML::Schema` constructor,
pass as the second parameter an instance of `Nokogiri::XML::ParseOptions` with the
`NONET` flag turned off.

So if your previous code was:

``` ruby
# in v1.11.0.rc3 and earlier, this call allows resources to be accessed over the network
# but in v1.11.0.rc4 and later, this call will disallow network access for external resources
schema = Nokogiri::XML::Schema.new(schema)

# in v1.11.0.rc4 and later, the following is equivalent to the code above
# (the second parameter is optional, and this demonstrates its default value)
schema = Nokogiri::XML::Schema.new(schema, Nokogiri::XML::ParseOptions::DEFAULT_SCHEMA)
```

Then you can add the second parameter to indicate that the input is trusted by changing it to:

``` ruby
# in v1.11.0.rc3 and earlier, this would raise an ArgumentError
# but in v1.11.0.rc4 and later, this allows resources to be accessed over the network
schema = Nokogiri::XML::Schema.new(trusted_schema, Nokogiri::XML::ParseOptions.new.nononet)
```
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-26247.json
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-26247.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-26247
reference_id
reference_type
scores
0
value 0.00259
scoring_system epss
scoring_elements 0.49512
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-26247
2
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2020-26247.yml
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2020-26247.yml
3
reference_url https://github.com/sparklemotion/nokogiri
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri
4
reference_url https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md#v1110--2021-01-03
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md#v1110--2021-01-03
5
reference_url https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b
6
reference_url https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4
7
reference_url https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m
reference_id
reference_type
scores
0
value 2.6
scoring_system cvssv3
scoring_elements
1
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m
8
reference_url https://hackerone.com/reports/747489
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/747489
9
reference_url https://lists.debian.org/debian-lts-announce/2021/06/msg00007.html
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2021/06/msg00007.html
10
reference_url https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html
11
reference_url https://rubygems.org/gems/nokogiri
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://rubygems.org/gems/nokogiri
12
reference_url https://security.gentoo.org/glsa/202208-29
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.gentoo.org/glsa/202208-29
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1912487
reference_id 1912487
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1912487
14
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978967
reference_id 978967
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978967
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-26247
reference_id CVE-2020-26247
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-26247
16
reference_url https://access.redhat.com/errata/RHSA-2021:4702
reference_id RHSA-2021:4702
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4702
17
reference_url https://access.redhat.com/errata/RHSA-2021:5191
reference_id RHSA-2021:5191
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:5191
fixed_packages
0
url pkg:gem/nokogiri@1.11.0
purl pkg:gem/nokogiri@1.11.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-chdv-jk6d-uuga
1
vulnerability VCID-d13x-y75t-2ugx
2
vulnerability VCID-p6m6-7kgc-y3g8
3
vulnerability VCID-pb6j-zdqw-g7cj
4
vulnerability VCID-pr2j-1118-hqaa
5
vulnerability VCID-q3td-7t4g-57ba
6
vulnerability VCID-qkq6-n1ds-x7e5
7
vulnerability VCID-wnj6-hc4g-ykfs
8
vulnerability VCID-yrjg-2aw9-effx
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.11.0
aliases CVE-2020-26247, GHSA-vr8q-g5c7-m54m
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2r85-egs8-4be3
2
url VCID-chdv-jk6d-uuga
vulnerability_id VCID-chdv-jk6d-uuga
summary 
Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171
## Summary

Nokogiri v1.18.3 upgrades its dependency libxml2 to
[v2.13.6](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.6).

libxml2 v2.13.6 addresses:

- CVE-2025-24928
  - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847
- CVE-2024-56171
   - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828

## Impact

### CVE-2025-24928

Stack-buffer overflow is possible when reporting DTD validation
errors if the input contains a long (~3kb) QName prefix.

### CVE-2024-56171

Use-after-free is possible during validation against untrusted
XML Schemas (.xsd) and, potentially, validation of untrusted documents
against trusted Schemas if they make use of `xsd:keyref` in combination
with recursively defined types that have additional identity constraints.
references
0
reference_url https://github.com/sparklemotion/nokogiri
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri
1
reference_url https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vvfq-8hwr-qm4m
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vvfq-8hwr-qm4m
2
reference_url https://github.com/advisories/GHSA-vvfq-8hwr-qm4m
reference_id GHSA-vvfq-8hwr-qm4m
reference_type
scores
url https://github.com/advisories/GHSA-vvfq-8hwr-qm4m
3
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-vvfq-8hwr-qm4m.yml
reference_id GHSA-vvfq-8hwr-qm4m.yml
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-vvfq-8hwr-qm4m.yml
fixed_packages
0
url pkg:gem/nokogiri@1.18.3
purl pkg:gem/nokogiri@1.18.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-d13x-y75t-2ugx
1
vulnerability VCID-pb6j-zdqw-g7cj
2
vulnerability VCID-wnj6-hc4g-ykfs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.18.3
aliases GHSA-vvfq-8hwr-qm4m
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-chdv-jk6d-uuga
3
url VCID-d13x-y75t-2ugx
vulnerability_id VCID-d13x-y75t-2ugx
summary 
Nokogiri does not check the return value from xmlC14NExecute
Nokogiri's CRuby extension fails to check the return value from `xmlC14NExecute` in the method `Nokogiri::XML::Document#canonicalize` and `Nokogiri::XML::Node#canonicalize`. When canonicalization fails, an empty string is returned instead of raising an exception. This incorrect return value may allow downstream libraries to accept invalid or incomplete canonicalized XML, which has been demonstrated to enable signature validation bypass in SAML libraries.

JRuby is not affected, as the Java implementation correctly raises `RuntimeError` on canonicalization failure.
references
0
reference_url https://github.com/sparklemotion/nokogiri
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri
1
reference_url https://github.com/advisories/GHSA-wx95-c6cv-8532
reference_id GHSA-wx95-c6cv-8532
reference_type
scores
url https://github.com/advisories/GHSA-wx95-c6cv-8532
2
reference_url https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wx95-c6cv-8532
reference_id GHSA-wx95-c6cv-8532
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements
1
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wx95-c6cv-8532
fixed_packages
0
url pkg:gem/nokogiri@1.19.1
purl pkg:gem/nokogiri@1.19.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-d13x-y75t-2ugx
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.19.1
aliases GHSA-wx95-c6cv-8532
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-d13x-y75t-2ugx
4
url VCID-jxz3-ug52-cuhn
vulnerability_id VCID-jxz3-ug52-cuhn
summary 
libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
Nokogiri has backported the patch for CVE-2020-7595 into its vendored version
of libxml2, and released this as v1.10.8

CVE-2020-7595 has not yet been addressed in an upstream libxml2 release, and
so Nokogiri versions <= v1.10.7 are vulnerable.
references
0
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00047.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00047.html
1
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-7595.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-7595.json
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-7595
reference_id
reference_type
scores
0
value 0.00476
scoring_system epss
scoring_elements 0.65244
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-7595
3
reference_url https://cert-portal.siemens.com/productcert/pdf/ssa-292794.pdf
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://cert-portal.siemens.com/productcert/pdf/ssa-292794.pdf
4
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2020-7595.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2020-7595.yml
5
reference_url https://github.com/sparklemotion/nokogiri
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri
6
reference_url https://github.com/sparklemotion/nokogiri/issues/1992
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri/issues/1992
7
reference_url https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c89076
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c89076
8
reference_url https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL/
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5R55ZR52RMBX24TQTWHCIWKJVRV6YAWI
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5R55ZR52RMBX24TQTWHCIWKJVRV6YAWI
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5R55ZR52RMBX24TQTWHCIWKJVRV6YAWI/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5R55ZR52RMBX24TQTWHCIWKJVRV6YAWI/
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDPF3AAVKUAKDYFMFKSIQSVVS3EEFPQH
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDPF3AAVKUAKDYFMFKSIQSVVS3EEFPQH
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDPF3AAVKUAKDYFMFKSIQSVVS3EEFPQH/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDPF3AAVKUAKDYFMFKSIQSVVS3EEFPQH/
15
reference_url https://security.gentoo.org/glsa/202010-04
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.gentoo.org/glsa/202010-04
16
reference_url https://security.netapp.com/advisory/ntap-20200702-0005
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20200702-0005
17
reference_url https://security.netapp.com/advisory/ntap-20200702-0005/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20200702-0005/
18
reference_url https://us-cert.cisa.gov/ics/advisories/icsa-21-103-08
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://us-cert.cisa.gov/ics/advisories/icsa-21-103-08
19
reference_url https://usn.ubuntu.com/4274-1
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://usn.ubuntu.com/4274-1
20
reference_url https://usn.ubuntu.com/4274-1/
reference_id
reference_type
scores
url https://usn.ubuntu.com/4274-1/
21
reference_url https://www.oracle.com/security-alerts/cpuapr2022.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuapr2022.html
22
reference_url https://www.oracle.com/security-alerts/cpujul2020.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujul2020.html
23
reference_url https://www.oracle.com/security-alerts/cpujul2022.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujul2022.html
24
reference_url https://www.oracle.com/security-alerts/cpuoct2021.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuoct2021.html
25
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1799786
reference_id 1799786
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1799786
26
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949582
reference_id 949582
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949582
27
reference_url https://security.archlinux.org/ASA-202011-15
reference_id ASA-202011-15
reference_type
scores
url https://security.archlinux.org/ASA-202011-15
28
reference_url https://security.archlinux.org/AVG-1263
reference_id AVG-1263
reference_type
scores
0
value Medium
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-1263
29
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-7595
reference_id CVE-2020-7595
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-7595
30
reference_url https://access.redhat.com/errata/RHSA-2020:2644
reference_id RHSA-2020:2644
reference_type
scores
url https://access.redhat.com/errata/RHSA-2020:2644
31
reference_url https://access.redhat.com/errata/RHSA-2020:2646
reference_id RHSA-2020:2646
reference_type
scores
url https://access.redhat.com/errata/RHSA-2020:2646
32
reference_url https://access.redhat.com/errata/RHSA-2020:3996
reference_id RHSA-2020:3996
reference_type
scores
url https://access.redhat.com/errata/RHSA-2020:3996
33
reference_url https://access.redhat.com/errata/RHSA-2020:4479
reference_id RHSA-2020:4479
reference_type
scores
url https://access.redhat.com/errata/RHSA-2020:4479
34
reference_url https://access.redhat.com/errata/RHSA-2021:0949
reference_id RHSA-2021:0949
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:0949
fixed_packages
0
url pkg:gem/nokogiri@1.10.8
purl pkg:gem/nokogiri@1.10.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1sh8-bsk3-auct
1
vulnerability VCID-2r85-egs8-4be3
2
vulnerability VCID-chdv-jk6d-uuga
3
vulnerability VCID-d13x-y75t-2ugx
4
vulnerability VCID-p6m6-7kgc-y3g8
5
vulnerability VCID-pb6j-zdqw-g7cj
6
vulnerability VCID-pr2j-1118-hqaa
7
vulnerability VCID-q3td-7t4g-57ba
8
vulnerability VCID-qkq6-n1ds-x7e5
9
vulnerability VCID-wnj6-hc4g-ykfs
10
vulnerability VCID-yrjg-2aw9-effx
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.10.8
aliases CVE-2020-7595, GHSA-7553-jr98-vx47
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jxz3-ug52-cuhn
5
url VCID-p6m6-7kgc-y3g8
vulnerability_id VCID-p6m6-7kgc-y3g8
summary 
Duplicate
This advisory duplicates another.
references
0
reference_url https://github.com/sparklemotion/nokogiri
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri
1
reference_url https://github.com/sparklemotion/nokogiri/discussions/3146
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri/discussions/3146
2
reference_url https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970
3
reference_url https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
4
reference_url https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.5
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.5
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-25062
reference_id CVE-2024-25062
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-25062
6
reference_url https://github.com/advisories/GHSA-xc9x-jj77-9p9j
reference_id GHSA-xc9x-jj77-9p9j
reference_type
scores
url https://github.com/advisories/GHSA-xc9x-jj77-9p9j
7
reference_url https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j
reference_id GHSA-xc9x-jj77-9p9j
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j
8
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-xc9x-jj77-9p9j.yml
reference_id GHSA-xc9x-jj77-9p9j.yml
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-xc9x-jj77-9p9j.yml
fixed_packages
0
url pkg:gem/nokogiri@1.15.6
purl pkg:gem/nokogiri@1.15.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-chdv-jk6d-uuga
1
vulnerability VCID-d13x-y75t-2ugx
2
vulnerability VCID-pb6j-zdqw-g7cj
3
vulnerability VCID-q3td-7t4g-57ba
4
vulnerability VCID-wnj6-hc4g-ykfs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.15.6
1
url pkg:gem/nokogiri@1.16.0.rc1
purl pkg:gem/nokogiri@1.16.0.rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-chdv-jk6d-uuga
1
vulnerability VCID-d13x-y75t-2ugx
2
vulnerability VCID-p6m6-7kgc-y3g8
3
vulnerability VCID-pb6j-zdqw-g7cj
4
vulnerability VCID-q3td-7t4g-57ba
5
vulnerability VCID-wnj6-hc4g-ykfs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.16.0.rc1
2
url pkg:gem/nokogiri@1.16.2
purl pkg:gem/nokogiri@1.16.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-chdv-jk6d-uuga
1
vulnerability VCID-d13x-y75t-2ugx
2
vulnerability VCID-pb6j-zdqw-g7cj
3
vulnerability VCID-q3td-7t4g-57ba
4
vulnerability VCID-wnj6-hc4g-ykfs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.16.2
aliases GHSA-xc9x-jj77-9p9j, GMS-2024-127
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-p6m6-7kgc-y3g8
6
url VCID-pb6j-zdqw-g7cj
vulnerability_id VCID-pb6j-zdqw-g7cj
summary 
Nokogiri patches vendored libxml2 to resolve multiple CVEs
## Summary

Nokogiri v1.18.9 patches the vendored libxml2 to address
CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795,
and CVE-2025-49796.

## Impact and severity

### CVE-2025-6021

A flaw was found in libxml2's xmlBuildQName function, where integer
overflows in buffer size calculations can lead to a stack-based
buffer overflow. This issue can result in memory corruption or a
denial of service when processing crafted input.

NVD claims a severity of 7.5 High
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/17d950ae

### CVE-2025-6170

A flaw was found in the interactive shell of the xmllint command-line
tool, used for parsing XML files. When a user inputs an overly long
command, the program does not check the input size properly, which
can cause it to crash. This issue might allow attackers to run
harmful code in rare configurations without modern protections.

NVD claims a severity of 2.5 Low
(CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/5e9ec5c1

### CVE-2025-49794

A use-after-free vulnerability was found in libxml2. This issue
occurs when parsing XPath elements under certain circumstances when
the XML schematron has the <sch:name path="..."/> schema elements.
This flaw allows a malicious actor to craft a malicious XML document
used as input for libxml, resulting in the program's crash using
libxml or other possible undefined behaviors.

NVD claims a severity of 9.1 Critical
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5

### CVE-2025-49795

A NULL pointer dereference vulnerability was found in libxml2 when
processing XPath XML expressions. This flaw allows an attacker to
craft a malicious XML input to libxml2, leading to a denial of service.

NVD claims a severity of 7.5 High
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/62048278

### CVE-2025-49796

A vulnerability was found in libxml2. Processing certain sch:name
elements from the input XML file can trigger a memory corruption
issue. This flaw allows an attacker to craft a malicious XML input
file that can lead libxml to crash, resulting in a denial of service
or other possible undefined behavior due to sensitive data being
corrupted in memory.

NVD claims a severity of 9.1 Critical
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5

## Affected Versions

- Nokogiri < 1.18.9 when using CRuby (MRI) with vendored libxml2

## Patched Versions

- Nokogiri >= 1.18.9

## Mitigation

Upgrade to Nokogiri v1.18.9 or later.

Users who are unable to upgrade Nokogiri may also choose a more
complicated mitigation: compile and link Nokogiri against patched
external libxml2 libraries which will also address these same issues.
references
0
reference_url https://github.com/sparklemotion/nokogiri
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri
1
reference_url https://github.com/sparklemotion/nokogiri/pull/3526
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri/pull/3526
2
reference_url https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-353f-x4gh-cqq8
reference_id
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-353f-x4gh-cqq8
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-49794
reference_id CVE-2025-49794
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-49794
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-49795
reference_id CVE-2025-49795
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-49795
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-49796
reference_id CVE-2025-49796
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-49796
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-6021
reference_id CVE-2025-6021
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-6021
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-6170
reference_id CVE-2025-6170
reference_type
scores
0
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-6170
8
reference_url https://github.com/advisories/GHSA-353f-x4gh-cqq8
reference_id GHSA-353f-x4gh-cqq8
reference_type
scores
url https://github.com/advisories/GHSA-353f-x4gh-cqq8
fixed_packages
0
url pkg:gem/nokogiri@1.18.9
purl pkg:gem/nokogiri@1.18.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-d13x-y75t-2ugx
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.18.9
aliases GHSA-353f-x4gh-cqq8
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pb6j-zdqw-g7cj
7
url VCID-pr2j-1118-hqaa
vulnerability_id VCID-pr2j-1118-hqaa
summary 
Update bundled libxml2 to v2.10.3 to resolve multiple CVEs
### Summary

Nokogiri v1.13.9 upgrades the packaged version of its dependency libxml2 to
[v2.10.3](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.3) from
v2.9.14.

libxml2 v2.10.3 addresses the following known vulnerabilities:

- [CVE-2022-2309](https://nvd.nist.gov/vuln/detail/CVE-2022-2309)
- [CVE-2022-40304](https://nvd.nist.gov/vuln/detail/CVE-2022-40304)
- [CVE-2022-40303](https://nvd.nist.gov/vuln/detail/CVE-2022-40303)

Please note that this advisory only applies to the CRuby implementation of
Nokogiri `< 1.13.9`, and only if the _packaged_ libraries are being used. If
you've overridden defaults at installation time to use _system_ libraries
instead of packaged libraries, you should instead pay attention to your
distro's `libxml2` release announcements.


### Mitigation

Upgrade to Nokogiri `>= 1.13.9`.

Users who are unable to upgrade Nokogiri may also choose a more complicated
mitigation: compile and link Nokogiri against external libraries libxml2
`>= 2.10.3` which will also address these same issues.


### Impact

#### libxml2 [CVE-2022-2309](https://nvd.nist.gov/vuln/detail/CVE-2022-2309)

- **CVSS3 score**: Under evaluation
- **Type**: Denial of service
- **Description**: NULL Pointer Dereference allows attackers to cause a denial
of service (or application crash). This only applies when lxml is used
together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not
affected. It allows triggering crashes through forged input data, given a
vulnerable code sequence in the application. The vulnerability is caused by
the iterwalk function (also used by the canonicalize function). Such code
shouldn't be in wide-spread use, given that parsing + iterwalk would usually
be replaced with the more efficient iterparse function. However, an XML
converter that serialises to C14N would also be vulnerable, for example, and
there are legitimate use cases for this code sequence. If untrusted input is
received (also remotely) and processed via iterwalk function, a crash can be
triggered.

Nokogiri maintainers investigated at #2620 and determined this CVE does not
affect Nokogiri users.


#### libxml2 [CVE-2022-40304](https://nvd.nist.gov/vuln/detail/CVE-2022-40304)

- **CVSS3 score**: Unspecified upstream
- **Type**: Data corruption, denial of service
- **Description**: When an entity reference cycle is detected, the entity
content is cleared by setting its first byte to zero. But the entity content
might be allocated from a dict. In this case, the dict entry becomes corrupted
leading to all kinds of logic errors, including memory errors like
double-frees.

See https://gitlab.gnome.org/GNOME/libxml2/-/commit/644a89e080bced793295f61f18aac8cfad6bece2


#### libxml2 [CVE-2022-40303](https://nvd.nist.gov/vuln/detail/CVE-2022-40303)

- **CVSS3 score**: Unspecified upstream
- **Type**: Integer overflow
- **Description**: Integer overflows with XML_PARSE_HUGE

See https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0
references
0
reference_url https://github.com/sparklemotion/nokogiri
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri
1
reference_url https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2qc6-mcvw-92cw
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2qc6-mcvw-92cw
fixed_packages
0
url pkg:gem/nokogiri@1.13.9
purl pkg:gem/nokogiri@1.13.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-chdv-jk6d-uuga
1
vulnerability VCID-d13x-y75t-2ugx
2
vulnerability VCID-p6m6-7kgc-y3g8
3
vulnerability VCID-pb6j-zdqw-g7cj
4
vulnerability VCID-q3td-7t4g-57ba
5
vulnerability VCID-wnj6-hc4g-ykfs
6
vulnerability VCID-yrjg-2aw9-effx
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.9
aliases GHSA-2qc6-mcvw-92cw
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pr2j-1118-hqaa
8
url VCID-q3td-7t4g-57ba
vulnerability_id VCID-q3td-7t4g-57ba
summary 
Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459
## Summary

Nokogiri v1.16.5 upgrades its dependency libxml2 to
[2.12.7](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7) from 2.12.6.

libxml2 v2.12.7 addresses CVE-2024-34459:

- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/720
- patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac53

## Impact

There is no impact to Nokogiri users because the issue is present only
in libxml2's `xmllint` tool which Nokogiri does not provide or expose.

## Timeline

- 2024-05-13 05:57 EDT, libxml2 2.12.7 release is announced
- 2024-05-13 08:30 EDT, nokogiri maintainers begin triage
- 2024-05-13 10:05 EDT, nokogiri [v1.16.5 is released](https://github.com/sparklemotion/nokogiri/releases/tag/v1.16.5)
  and this GHSA made public
references
0
reference_url https://github.com/sparklemotion/nokogiri
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri
1
reference_url https://github.com/sparklemotion/nokogiri/releases/tag/v1.16.5
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri/releases/tag/v1.16.5
2
reference_url https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-r95h-9x8f-r3f7
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-r95h-9x8f-r3f7
3
reference_url https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac53
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac53
4
reference_url https://gitlab.gnome.org/GNOME/libxml2/-/issues/720
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://gitlab.gnome.org/GNOME/libxml2/-/issues/720
5
reference_url https://github.com/advisories/GHSA-r95h-9x8f-r3f7
reference_id GHSA-r95h-9x8f-r3f7
reference_type
scores
url https://github.com/advisories/GHSA-r95h-9x8f-r3f7
fixed_packages
0
url pkg:gem/nokogiri@1.16.5
purl pkg:gem/nokogiri@1.16.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-chdv-jk6d-uuga
1
vulnerability VCID-d13x-y75t-2ugx
2
vulnerability VCID-pb6j-zdqw-g7cj
3
vulnerability VCID-wnj6-hc4g-ykfs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.16.5
aliases GHSA-r95h-9x8f-r3f7
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q3td-7t4g-57ba
9
url VCID-qkq6-n1ds-x7e5
vulnerability_id VCID-qkq6-n1ds-x7e5
summary 
Inefficient Regular Expression Complexity
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for this issue.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24836.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24836.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-24836
reference_id
reference_type
scores
0
value 0.01827
scoring_system epss
scoring_elements 0.83241
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-24836
2
reference_url http://seclists.org/fulldisclosure/2022/Dec/23
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://seclists.org/fulldisclosure/2022/Dec/23
3
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2022-24836.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2022-24836.yml
4
reference_url https://github.com/sparklemotion/nokogiri
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri
5
reference_url https://github.com/sparklemotion/nokogiri/commit/e444525ef1634b675cd1cf52d39f4320ef0aecfd
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri/commit/e444525ef1634b675cd1cf52d39f4320ef0aecfd
6
reference_url https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4
7
reference_url https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer
8
reference_url https://lists.debian.org/debian-lts-announce/2022/05/msg00013.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2022/05/msg00013.html
9
reference_url https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DHCOWMA5PQTIQIMDENA7R2Y5BDYAIYM
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DHCOWMA5PQTIQIMDENA7R2Y5BDYAIYM
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OUPLBUZVM4WPFSXBEP2JS3R6LMKRTLFC
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OUPLBUZVM4WPFSXBEP2JS3R6LMKRTLFC
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMDCWRQXJQ3TFSETPCEFMQ6RR6ME5UA3
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMDCWRQXJQ3TFSETPCEFMQ6RR6ME5UA3
13
reference_url https://security.gentoo.org/glsa/202208-29
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.gentoo.org/glsa/202208-29
14
reference_url https://support.apple.com/kb/HT213532
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://support.apple.com/kb/HT213532
15
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009787
reference_id 1009787
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009787
16
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2074346
reference_id 2074346
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2074346
17
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-24836
reference_id CVE-2022-24836
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-24836
18
reference_url https://github.com/advisories/GHSA-crjr-9rc5-ghw8
reference_id GHSA-crjr-9rc5-ghw8
reference_type
scores
url https://github.com/advisories/GHSA-crjr-9rc5-ghw8
19
reference_url https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8
reference_id GHSA-crjr-9rc5-ghw8
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8
20
reference_url https://access.redhat.com/errata/RHSA-2022:8506
reference_id RHSA-2022:8506
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:8506
fixed_packages
0
url pkg:gem/nokogiri@1.13.4
purl pkg:gem/nokogiri@1.13.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-chdv-jk6d-uuga
1
vulnerability VCID-d13x-y75t-2ugx
2
vulnerability VCID-p6m6-7kgc-y3g8
3
vulnerability VCID-pb6j-zdqw-g7cj
4
vulnerability VCID-pr2j-1118-hqaa
5
vulnerability VCID-q3td-7t4g-57ba
6
vulnerability VCID-wnj6-hc4g-ykfs
7
vulnerability VCID-yrjg-2aw9-effx
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.4
aliases CVE-2022-24836, GHSA-crjr-9rc5-ghw8
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qkq6-n1ds-x7e5
10
url VCID-wnj6-hc4g-ykfs
vulnerability_id VCID-wnj6-hc4g-ykfs
summary 
Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415
## Summary

Nokogiri v1.18.8 upgrades its dependency libxml2 to
[v2.13.8](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.8).

libxml2 v2.13.8 addresses:

- CVE-2025-32414
  - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/889
- CVE-2025-32415
  - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/890

## Impact

### CVE-2025-32414: No impact

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds
memory access can occur in the Python API (Python bindings) because
of an incorrect return value. This occurs in xmlPythonFileRead and
xmlPythonFileReadRaw because of a difference between bytes and characters.

**There is no impact** from this CVE for Nokogiri users.

### CVE-2025-32415: Low impact

In libxml2 before 2.13.8 and 2.14.x before 2.14.2,
xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer
under-read. To exploit this, a crafted XML document must be validated
against an XML schema with certain identity constraints, or a
crafted XML schema must be used.

In the upstream issue, further context is provided by the maintainer:

> The bug affects validation against untrusted XML Schemas (.xsd)
> and validation of untrusted documents against trusted Schemas if
> they make use of xsd:keyref in combination with recursively
> defined types that have additional identity constraints.

MITRE has published a severity score of 2.9 LOW
(CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) for this CVE.
references
0
reference_url https://github.com/sparklemotion/nokogiri
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri
1
reference_url https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-5w6v-399v-w3cc
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-5w6v-399v-w3cc
2
reference_url https://gitlab.gnome.org/GNOME/libxml2/-/issues/889
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://gitlab.gnome.org/GNOME/libxml2/-/issues/889
3
reference_url https://gitlab.gnome.org/GNOME/libxml2/-/issues/890
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://gitlab.gnome.org/GNOME/libxml2/-/issues/890
4
reference_url https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.8
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.8
5
reference_url https://github.com/advisories/GHSA-5w6v-399v-w3cc
reference_id GHSA-5w6v-399v-w3cc
reference_type
scores
url https://github.com/advisories/GHSA-5w6v-399v-w3cc
fixed_packages
0
url pkg:gem/nokogiri@1.18.8
purl pkg:gem/nokogiri@1.18.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-d13x-y75t-2ugx
1
vulnerability VCID-pb6j-zdqw-g7cj
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.18.8
aliases GHSA-5w6v-399v-w3cc
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wnj6-hc4g-ykfs
11
url VCID-yrjg-2aw9-effx
vulnerability_id VCID-yrjg-2aw9-effx
summary 
Nokogiri updates packaged libxml2 to v2.10.4 to resolve multiple CVEs
### Summary

Nokogiri v1.14.3 upgrades the packaged version of its dependency libxml2 to [v2.10.4](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.4) from v2.10.3.

libxml2 v2.10.4 addresses the following known vulnerabilities:

- [CVE-2023-29469](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29469): Hashing of empty dict strings isn't deterministic
- [CVE-2023-28484](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28484): Fix null deref in xmlSchemaFixupComplexType
- Schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK

Please note that this advisory only applies to the CRuby implementation of Nokogiri `< 1.14.3`, and only if the _packaged_ libraries are being used. If you've overridden defaults at installation time to use _system_ libraries instead of packaged libraries, you should instead pay attention to your distro's `libxml2` release announcements.


### Mitigation

Upgrade to Nokogiri `>= 1.14.3`.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 `>= 2.10.4` which will also address these same issues.


### Impact

No public information has yet been published about the security-related issues other than the upstream commits. Examination of those changesets indicate that the more serious issues relate to libxml2 dereferencing NULL pointers and potentially segfaulting while parsing untrusted inputs.

The commits can be examined at:

- [[CVE-2023-29469] Hashing of empty dict strings isn't deterministic (09a2dd45) · Commits · GNOME / libxml2 · GitLab](https://gitlab.gnome.org/GNOME/libxml2/-/commit/09a2dd453007f9c7205274623acdd73747c22d64)
- [[CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType (647e072e) · Commits · GNOME / libxml2 · GitLab](https://gitlab.gnome.org/GNOME/libxml2/-/commit/647e072ea0a2f12687fa05c172f4c4713fdb0c4f)
- [schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK (4c6922f7) · Commits · GNOME / libxml2 · GitLab](https://gitlab.gnome.org/GNOME/libxml2/-/commit/4c6922f763ad958c48ff66f82823ae21f2e92ee6)
references
0
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28484
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28484
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29469
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29469
2
reference_url https://github.com/sparklemotion/nokogiri
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri
3
reference_url https://gitlab.gnome.org/GNOME/libxml2/-/commit/09a2dd453007f9c7205274623acdd73747c22d64
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://gitlab.gnome.org/GNOME/libxml2/-/commit/09a2dd453007f9c7205274623acdd73747c22d64
4
reference_url https://gitlab.gnome.org/GNOME/libxml2/-/commit/4c6922f763ad958c48ff66f82823ae21f2e92ee6
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://gitlab.gnome.org/GNOME/libxml2/-/commit/4c6922f763ad958c48ff66f82823ae21f2e92ee6
5
reference_url https://gitlab.gnome.org/GNOME/libxml2/-/commit/647e072ea0a2f12687fa05c172f4c4713fdb0c4f
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://gitlab.gnome.org/GNOME/libxml2/-/commit/647e072ea0a2f12687fa05c172f4c4713fdb0c4f
6
reference_url https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.4
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.4
7
reference_url https://github.com/advisories/GHSA-pxvg-2qj5-37jq
reference_id GHSA-pxvg-2qj5-37jq
reference_type
scores
url https://github.com/advisories/GHSA-pxvg-2qj5-37jq
8
reference_url https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-pxvg-2qj5-37jq
reference_id GHSA-pxvg-2qj5-37jq
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-pxvg-2qj5-37jq
fixed_packages
0
url pkg:gem/nokogiri@1.14.3
purl pkg:gem/nokogiri@1.14.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-chdv-jk6d-uuga
1
vulnerability VCID-d13x-y75t-2ugx
2
vulnerability VCID-p6m6-7kgc-y3g8
3
vulnerability VCID-pb6j-zdqw-g7cj
4
vulnerability VCID-q3td-7t4g-57ba
5
vulnerability VCID-wnj6-hc4g-ykfs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.14.3
aliases GHSA-pxvg-2qj5-37jq, GMS-2023-1115
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yrjg-2aw9-effx
Fixing_vulnerabilities
0
url VCID-5xuf-r7bj-33fa
vulnerability_id VCID-5xuf-r7bj-33fa
summary 
Improper Input Validation
In `numbers.c` in libxslt, which is used by nokogiri, an `xsl:number` with certain format strings could lead to an uninitialized read in `xsltNumberFormatInsertNumbers`. This could allow an attacker to discern whether a byte on the stack contains the characters `[AaIi0]`, or any other character.
references
0
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00062.html
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00062.html
1
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-13117.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-13117.json
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-13117
reference_id
reference_type
scores
0
value 0.04376
scoring_system epss
scoring_elements 0.89156
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-13117
3
reference_url https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14471
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14471
4
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-13117.yml
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-13117.yml
5
reference_url https://github.com/sparklemotion/nokogiri/issues/1943
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri/issues/1943
6
reference_url https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1
7
reference_url https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
8
reference_url https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
9
reference_url https://lists.debian.org/debian-lts-announce/2019/07/msg00020.html
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2019/07/msg00020.html
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOYJKXPQCUNBMMQJWYXOR6QRUJZHEDRZ
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOYJKXPQCUNBMMQJWYXOR6QRUJZHEDRZ
11
reference_url https://oss-fuzz.com/testcase-detail/5631739747106816
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://oss-fuzz.com/testcase-detail/5631739747106816
12
reference_url https://security.netapp.com/advisory/ntap-20190806-0004
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20190806-0004
13
reference_url https://security.netapp.com/advisory/ntap-20200122-0003
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20200122-0003
14
reference_url https://usn.ubuntu.com/4164-1
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://usn.ubuntu.com/4164-1
15
reference_url https://www.oracle.com/security-alerts/cpujan2020.html
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujan2020.html
16
reference_url http://www.openwall.com/lists/oss-security/2019/11/17/2
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2019/11/17/2
17
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1728546
reference_id 1728546
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1728546
18
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931321
reference_id 931321
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931321
19
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-13117
reference_id CVE-2019-13117
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-13117
fixed_packages
0
url pkg:gem/nokogiri@1.10.5
purl pkg:gem/nokogiri@1.10.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1sh8-bsk3-auct
1
vulnerability VCID-2r85-egs8-4be3
2
vulnerability VCID-chdv-jk6d-uuga
3
vulnerability VCID-d13x-y75t-2ugx
4
vulnerability VCID-jxz3-ug52-cuhn
5
vulnerability VCID-p6m6-7kgc-y3g8
6
vulnerability VCID-pb6j-zdqw-g7cj
7
vulnerability VCID-pr2j-1118-hqaa
8
vulnerability VCID-q3td-7t4g-57ba
9
vulnerability VCID-qkq6-n1ds-x7e5
10
vulnerability VCID-wnj6-hc4g-ykfs
11
vulnerability VCID-yrjg-2aw9-effx
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.10.5
aliases CVE-2019-13117, GHSA-4hm9-844j-jmxp
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5xuf-r7bj-33fa
1
url VCID-ft4s-195a-8fcf
vulnerability_id VCID-ft4s-195a-8fcf
summary 
Improper Input Validation
In `numbers.c` in libxslt, which is used by nokogiri, a type holding grouping characters of an `xsl:number` instruction was too narrow and an invalid character/length combination could be passed to `xsltNumberFormatDecimal`, leading to a read of uninitialized stack data.
references
0
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00062.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00062.html
1
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-13118.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-13118.json
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-13118
reference_id
reference_type
scores
0
value 0.01008
scoring_system epss
scoring_elements 0.77408
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-13118
3
reference_url https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15069
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15069
4
reference_url http://seclists.org/fulldisclosure/2019/Aug/11
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://seclists.org/fulldisclosure/2019/Aug/11
5
reference_url http://seclists.org/fulldisclosure/2019/Aug/13
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://seclists.org/fulldisclosure/2019/Aug/13
6
reference_url http://seclists.org/fulldisclosure/2019/Aug/14
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://seclists.org/fulldisclosure/2019/Aug/14
7
reference_url http://seclists.org/fulldisclosure/2019/Aug/15
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://seclists.org/fulldisclosure/2019/Aug/15
8
reference_url http://seclists.org/fulldisclosure/2019/Jul/22
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://seclists.org/fulldisclosure/2019/Jul/22
9
reference_url http://seclists.org/fulldisclosure/2019/Jul/23
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://seclists.org/fulldisclosure/2019/Jul/23
10
reference_url http://seclists.org/fulldisclosure/2019/Jul/24
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://seclists.org/fulldisclosure/2019/Jul/24
11
reference_url http://seclists.org/fulldisclosure/2019/Jul/26
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://seclists.org/fulldisclosure/2019/Jul/26
12
reference_url http://seclists.org/fulldisclosure/2019/Jul/31
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://seclists.org/fulldisclosure/2019/Jul/31
13
reference_url http://seclists.org/fulldisclosure/2019/Jul/37
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://seclists.org/fulldisclosure/2019/Jul/37
14
reference_url http://seclists.org/fulldisclosure/2019/Jul/38
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://seclists.org/fulldisclosure/2019/Jul/38
15
reference_url https://github.com/sparklemotion/nokogiri/blob/f7aa3b0b29d6fe5fafe93dacd9b96b6b3d16b7ec/CHANGELOG.md?plain=1#L796
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri/blob/f7aa3b0b29d6fe5fafe93dacd9b96b6b3d16b7ec/CHANGELOG.md?plain=1#L796
16
reference_url https://github.com/sparklemotion/nokogiri/commit/43a175339b47b8c604508813fc75b83f13cd173e
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri/commit/43a175339b47b8c604508813fc75b83f13cd173e
17
reference_url https://github.com/sparklemotion/nokogiri/issues/1943
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri/issues/1943
18
reference_url https://github.com/sparklemotion/nokogiri/releases/tag/v1.10.5
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri/releases/tag/v1.10.5
19
reference_url https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b
20
reference_url https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
21
reference_url https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
22
reference_url https://lists.debian.org/debian-lts-announce/2019/07/msg00020.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2019/07/msg00020.html
23
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOYJKXPQCUNBMMQJWYXOR6QRUJZHEDRZ
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOYJKXPQCUNBMMQJWYXOR6QRUJZHEDRZ
24
reference_url https://oss-fuzz.com/testcase-detail/5197371471822848
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://oss-fuzz.com/testcase-detail/5197371471822848
25
reference_url https://seclists.org/bugtraq/2019/Aug/21
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://seclists.org/bugtraq/2019/Aug/21
26
reference_url https://seclists.org/bugtraq/2019/Aug/22
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://seclists.org/bugtraq/2019/Aug/22
27
reference_url https://seclists.org/bugtraq/2019/Aug/23
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://seclists.org/bugtraq/2019/Aug/23
28
reference_url https://seclists.org/bugtraq/2019/Aug/25
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://seclists.org/bugtraq/2019/Aug/25
29
reference_url https://seclists.org/bugtraq/2019/Jul/35
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://seclists.org/bugtraq/2019/Jul/35
30
reference_url https://seclists.org/bugtraq/2019/Jul/36
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://seclists.org/bugtraq/2019/Jul/36
31
reference_url https://seclists.org/bugtraq/2019/Jul/37
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://seclists.org/bugtraq/2019/Jul/37
32
reference_url https://seclists.org/bugtraq/2019/Jul/40
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://seclists.org/bugtraq/2019/Jul/40
33
reference_url https://seclists.org/bugtraq/2019/Jul/41
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://seclists.org/bugtraq/2019/Jul/41
34
reference_url https://seclists.org/bugtraq/2019/Jul/42
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://seclists.org/bugtraq/2019/Jul/42
35
reference_url https://security.netapp.com/advisory/ntap-20190806-0004
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20190806-0004
36
reference_url https://security.netapp.com/advisory/ntap-20200122-0003
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20200122-0003
37
reference_url https://support.apple.com/kb/HT210346
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://support.apple.com/kb/HT210346
38
reference_url https://support.apple.com/kb/HT210348
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://support.apple.com/kb/HT210348
39
reference_url https://support.apple.com/kb/HT210351
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://support.apple.com/kb/HT210351
40
reference_url https://support.apple.com/kb/HT210353
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://support.apple.com/kb/HT210353
41
reference_url https://support.apple.com/kb/HT210356
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://support.apple.com/kb/HT210356
42
reference_url https://support.apple.com/kb/HT210357
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://support.apple.com/kb/HT210357
43
reference_url https://support.apple.com/kb/HT210358
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://support.apple.com/kb/HT210358
44
reference_url https://usn.ubuntu.com/4164-1
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://usn.ubuntu.com/4164-1
45
reference_url https://www.oracle.com/security-alerts/cpujan2020.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujan2020.html
46
reference_url http://www.openwall.com/lists/oss-security/2019/11/17/2
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2019/11/17/2
47
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1728541
reference_id 1728541
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1728541
48
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931320
reference_id 931320
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931320
49
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-13118
reference_id CVE-2019-13118
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-13118
fixed_packages
0
url pkg:gem/nokogiri@1.10.5
purl pkg:gem/nokogiri@1.10.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1sh8-bsk3-auct
1
vulnerability VCID-2r85-egs8-4be3
2
vulnerability VCID-chdv-jk6d-uuga
3
vulnerability VCID-d13x-y75t-2ugx
4
vulnerability VCID-jxz3-ug52-cuhn
5
vulnerability VCID-p6m6-7kgc-y3g8
6
vulnerability VCID-pb6j-zdqw-g7cj
7
vulnerability VCID-pr2j-1118-hqaa
8
vulnerability VCID-q3td-7t4g-57ba
9
vulnerability VCID-qkq6-n1ds-x7e5
10
vulnerability VCID-wnj6-hc4g-ykfs
11
vulnerability VCID-yrjg-2aw9-effx
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.10.5
aliases CVE-2019-13118, GHSA-cf46-6xxh-pc75
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ft4s-195a-8fcf
2
url VCID-u9b2-qx2j-c7by
vulnerability_id VCID-u9b2-qx2j-c7by
summary multiple issues
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-5815.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-5815.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-5815
reference_id
reference_type
scores
0
value 0.00111
scoring_system epss
scoring_elements 0.29163
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-5815
2
reference_url https://bugs.chromium.org/p/chromium/issues/detail?id=930663
reference_id
reference_type
scores
url https://bugs.chromium.org/p/chromium/issues/detail?id=930663
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13698
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13698
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5805
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5805
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5806
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5806
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5807
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5807
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5808
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5808
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5809
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5809
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5810
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5810
10
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5811
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5811
11
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5813
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5813
12
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5814
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5814
13
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5815
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5815
14
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5818
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5818
15
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5819
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5819
16
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5820
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5820
17
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5821
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5821
18
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5822
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5822
19
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5823
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5823
20
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5824
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5824
21
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5825
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5825
22
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5826
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5826
23
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5827
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5827
24
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5828
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5828
25
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5829
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5829
26
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5830
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5830
27
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5831
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5831
28
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5832
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5832
29
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5833
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5833
30
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5834
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5834
31
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5836
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5836
32
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5837
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5837
33
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5838
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5838
34
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5839
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5839
35
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5840
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5840
36
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5841
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5841
37
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5842
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5842
38
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5843
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5843
39
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5847
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5847
40
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5848
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5848
41
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5849
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5849
42
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5850
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5850
43
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5851
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5851
44
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5852
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5852
45
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5853
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5853
46
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5854
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5854
47
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5855
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5855
48
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5856
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5856
49
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5857
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5857
50
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5858
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5858
51
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5859
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5859
52
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5860
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5860
53
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5861
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5861
54
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5862
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5862
55
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5864
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5864
56
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5865
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5865
57
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5867
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5867
58
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5868
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5868
59
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6503
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6503
60
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6504
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6504
61
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-5815.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-5815.yml
62
reference_url https://github.com/sparklemotion/nokogiri
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri
63
reference_url https://github.com/sparklemotion/nokogiri/issues/2630
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri/issues/2630
64
reference_url https://gitlab.gnome.org/GNOME/libxslt/commit/08b62c25871b38d5d573515ca8a065b4b8f64f6b
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://gitlab.gnome.org/GNOME/libxslt/commit/08b62c25871b38d5d573515ca8a065b4b8f64f6b
65
reference_url https://lists.debian.org/debian-lts-announce/2022/09/msg00010.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2022/09/msg00010.html
66
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1702905
reference_id 1702905
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1702905
67
reference_url https://security.archlinux.org/ASA-201904-12
reference_id ASA-201904-12
reference_type
scores
url https://security.archlinux.org/ASA-201904-12
68
reference_url https://security.archlinux.org/AVG-952
reference_id AVG-952
reference_type
scores
0
value Critical
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-952
69
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-5815
reference_id CVE-2019-5815
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-5815
70
reference_url https://security.gentoo.org/glsa/201908-18
reference_id GLSA-201908-18
reference_type
scores
url https://security.gentoo.org/glsa/201908-18
71
reference_url https://access.redhat.com/errata/RHSA-2019:1021
reference_id RHSA-2019:1021
reference_type
scores
url https://access.redhat.com/errata/RHSA-2019:1021
fixed_packages
0
url pkg:gem/nokogiri@1.10.4
purl pkg:gem/nokogiri@1.10.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1sh8-bsk3-auct
1
vulnerability VCID-2r85-egs8-4be3
2
vulnerability VCID-5xuf-r7bj-33fa
3
vulnerability VCID-chdv-jk6d-uuga
4
vulnerability VCID-d13x-y75t-2ugx
5
vulnerability VCID-jxz3-ug52-cuhn
6
vulnerability VCID-p6m6-7kgc-y3g8
7
vulnerability VCID-pb6j-zdqw-g7cj
8
vulnerability VCID-pr2j-1118-hqaa
9
vulnerability VCID-q3td-7t4g-57ba
10
vulnerability VCID-qkq6-n1ds-x7e5
11
vulnerability VCID-uk9u-nn9a-4yes
12
vulnerability VCID-wnj6-hc4g-ykfs
13
vulnerability VCID-yrjg-2aw9-effx
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.10.4
1
url pkg:gem/nokogiri@1.10.5
purl pkg:gem/nokogiri@1.10.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1sh8-bsk3-auct
1
vulnerability VCID-2r85-egs8-4be3
2
vulnerability VCID-chdv-jk6d-uuga
3
vulnerability VCID-d13x-y75t-2ugx
4
vulnerability VCID-jxz3-ug52-cuhn
5
vulnerability VCID-p6m6-7kgc-y3g8
6
vulnerability VCID-pb6j-zdqw-g7cj
7
vulnerability VCID-pr2j-1118-hqaa
8
vulnerability VCID-q3td-7t4g-57ba
9
vulnerability VCID-qkq6-n1ds-x7e5
10
vulnerability VCID-wnj6-hc4g-ykfs
11
vulnerability VCID-yrjg-2aw9-effx
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.10.5
aliases CVE-2019-5815, GHSA-vmfx-gcfq-wvm2
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-u9b2-qx2j-c7by
3
url VCID-uk9u-nn9a-4yes
vulnerability_id VCID-uk9u-nn9a-4yes
summary multiple issues
references
0
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00010.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00010.html
1
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00015.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00015.html
2
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00025.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00025.html
3
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00062.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00062.html
4
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-18197.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-18197.json
5
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-18197
reference_id
reference_type
scores
0
value 0.04534
scoring_system epss
scoring_elements 0.89355
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-18197
6
reference_url https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15746
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15746
7
reference_url https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15768
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15768
8
reference_url https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15914
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15914
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18197
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18197
10
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-18197.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-18197.yml
11
reference_url https://github.com/sparklemotion/nokogiri
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri
12
reference_url https://github.com/sparklemotion/nokogiri/blob/01ab95f3e37429ed8d3b380a8d2f73902eb325d9/CHANGELOG.md?plain=1#L934
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri/blob/01ab95f3e37429ed8d3b380a8d2f73902eb325d9/CHANGELOG.md?plain=1#L934
13
reference_url https://github.com/sparklemotion/nokogiri/issues/1943
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/sparklemotion/nokogiri/issues/1943
14
reference_url https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285
15
reference_url https://lists.debian.org/debian-lts-announce/2019/10/msg00037.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2019/10/msg00037.html
16
reference_url https://security.netapp.com/advisory/ntap-20191031-0004
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20191031-0004
17
reference_url https://security.netapp.com/advisory/ntap-20200416-0004
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20200416-0004
18
reference_url https://usn.ubuntu.com/4164-1
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://usn.ubuntu.com/4164-1
19
reference_url https://www.oracle.com/security-alerts/cpuapr2020.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuapr2020.html
20
reference_url http://www.openwall.com/lists/oss-security/2019/11/17/2
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2019/11/17/2
21
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1770768
reference_id 1770768
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1770768
22
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942646
reference_id 942646
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942646
23
reference_url https://security.archlinux.org/ASA-202002-3
reference_id ASA-202002-3
reference_type
scores
url https://security.archlinux.org/ASA-202002-3
24
reference_url https://security.archlinux.org/AVG-1092
reference_id AVG-1092
reference_type
scores
0
value Critical
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-1092
25
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-18197
reference_id CVE-2019-18197
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-18197
26
reference_url https://access.redhat.com/errata/RHSA-2020:0514
reference_id RHSA-2020:0514
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://access.redhat.com/errata/RHSA-2020:0514
27
reference_url https://access.redhat.com/errata/RHSA-2020:4005
reference_id RHSA-2020:4005
reference_type
scores
url https://access.redhat.com/errata/RHSA-2020:4005
28
reference_url https://access.redhat.com/errata/RHSA-2020:4464
reference_id RHSA-2020:4464
reference_type
scores
url https://access.redhat.com/errata/RHSA-2020:4464
fixed_packages
0
url pkg:gem/nokogiri@1.10.5
purl pkg:gem/nokogiri@1.10.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1sh8-bsk3-auct
1
vulnerability VCID-2r85-egs8-4be3
2
vulnerability VCID-chdv-jk6d-uuga
3
vulnerability VCID-d13x-y75t-2ugx
4
vulnerability VCID-jxz3-ug52-cuhn
5
vulnerability VCID-p6m6-7kgc-y3g8
6
vulnerability VCID-pb6j-zdqw-g7cj
7
vulnerability VCID-pr2j-1118-hqaa
8
vulnerability VCID-q3td-7t4g-57ba
9
vulnerability VCID-qkq6-n1ds-x7e5
10
vulnerability VCID-wnj6-hc4g-ykfs
11
vulnerability VCID-yrjg-2aw9-effx
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.10.5
aliases CVE-2019-18197, GHSA-242x-7cm6-4w8j
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-uk9u-nn9a-4yes
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.10.5