{"url":"http://public2.vulnerablecode.io/api/packages/59149?format=json","purl":"pkg:gem/nokogiri@1.12.5","type":"gem","namespace":"","name":"nokogiri","version":"1.12.5","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.19.3","latest_non_vulnerable_version":"1.19.3","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51500?format=json","vulnerability_id":"VCID-5838-r3hp-wke4","summary":"Integer Overflow or Wraparound in libxml2 affects Nokogiri\n### Summary\n\nNokogiri v1.13.5 upgrades the packaged version of its dependency libxml2 from\nv2.9.13 to [v2.9.14](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.9.14).\n\nlibxml2 v2.9.14 addresses [CVE-2022-29824](https://nvd.nist.gov/vuln/detail/CVE-2022-29824).\nThis version also includes several security-related bug fixes for which CVEs were not created,\nincluding a potential double-free, potential memory leaks, and integer-overflow.\n\nPlease note that this advisory only applies to the CRuby implementation of Nokogiri\n`< 1.13.5`, and only if the _packaged_ libraries are being used. If you've overridden\ndefaults at installation time to use _system_ libraries instead of packaged libraries,\nyou should instead pay attention to your distro's `libxml2` and `libxslt` release announcements.\n\n### Mitigation\n\nUpgrade to Nokogiri `>= 1.13.5`.\n\nUsers who are unable to upgrade Nokogiri may also choose a more complicated mitigation:\ncompile and link Nokogiri against external libraries libxml2 `>= 2.9.14` which will also\naddress these same issues.\n\n### Impact\n\n#### libxml2 [CVE-2022-29824](https://nvd.nist.gov/vuln/detail/CVE-2022-29824)\n\n- **CVSS3 score**:\n  - Unspecified upstream\n  - Nokogiri maintainers evaluate at 8.6 (High) ([CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H)). Note that this is different from the CVSS assessed by NVD.\n- **Type**: Denial of service, information disclosure\n- **Description**: In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.\n- **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/-/commit/2554a24\n\nAll versions of libml2 prior to v2.9.14 are affected.\n\nApplications parsing or serializing multi-gigabyte documents (in excess of INT_MAX bytes) may be vulnerable to an integer overflow bug in buffer handling that could lead to exposure of confidential data, modification of unrelated data, or a segmentation fault resulting in a denial-of-service.\n\n\n### References\n\n- [libxml2 v2.9.14 release notes](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.9.14)\n- [CVE-2022-29824](https://nvd.nist.gov/vuln/detail/CVE-2022-29824)\n- [CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer](https://cwe.mitre.org/data/definitions/119.html)","references":[{"reference_url":"https://github.com/sparklemotion/nokogiri","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri"},{"reference_url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-cgx6-hpwq-fhv5","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3","scoring_elements":""},{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-cgx6-hpwq-fhv5"},{"reference_url":"https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.9.14","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.9.14"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-29824","reference_id":"CVE-2022-29824","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-29824"},{"reference_url":"https://github.com/advisories/GHSA-cgx6-hpwq-fhv5","reference_id":"GHSA-cgx6-hpwq-fhv5","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-cgx6-hpwq-fhv5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/152480?format=json","purl":"pkg:gem/nokogiri@1.13.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5g9a-2484-rucp"},{"vulnerability":"VCID-66gp-78uh-aqem"},{"vulnerability":"VCID-67gm-m1up-gfaf"},{"vulnerability":"VCID-chdv-jk6d-uuga"},{"vulnerability":"VCID-d13x-y75t-2ugx"},{"vulnerability":"VCID-e2q6-558r-4kam"},{"vulnerability":"VCID-gvjg-dk1p-2uek"},{"vulnerability":"VCID-ktyd-dgdw-pber"},{"vulnerability":"VCID-mgf4-zdnr-tba4"},{"vulnerability":"VCID-p6m6-7kgc-y3g8"},{"vulnerability":"VCID-pb6j-zdqw-g7cj"},{"vulnerability":"VCID-pr2j-1118-hqaa"},{"vulnerability":"VCID-q3td-7t4g-57ba"},{"vulnerability":"VCID-qa31-1xtw-ybdg"},{"vulnerability":"VCID-u6wn-nety-sbde"},{"vulnerability":"VCID-wnj6-hc4g-ykfs"},{"vulnerability":"VCID-yrjg-2aw9-effx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.5"}],"aliases":["GHSA-cgx6-hpwq-fhv5","GMS-2022-1438"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5838-r3hp-wke4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78001?format=json","vulnerability_id":"VCID-5g9a-2484-rucp","summary":"An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40304.json","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40304.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-40304","reference_id":"","reference_type":"","scores":[{"value":"0.00219","scoring_system":"epss","scoring_elements":"0.44511","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00219","scoring_system":"epss","scoring_elements":"0.44589","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00219","scoring_system":"epss","scoring_elements":"0.44581","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-40304"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40303","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40303"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40304","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40304"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://gitlab.gnome.org/GNOME/libxml2/-/commit/1b41ec4e9433b05bb0376be4725804c54ef1d80b","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-28T19:47:33Z/"}],"url":"https://gitlab.gnome.org/GNOME/libxml2/-/commit/1b41ec4e9433b05bb0376be4725804c54ef1d80b"},{"reference_url":"https://gitlab.gnome.org/GNOME/libxml2/-/tags","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-28T19:47:33Z/"}],"url":"https://gitlab.gnome.org/GNOME/libxml2/-/tags"},{"reference_url":"https://gitlab.gnome.org/GNOME/libxml2/-/tags/v2.10.3","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-28T19:47:33Z/"}],"url":"https://gitlab.gnome.org/GNOME/libxml2/-/tags/v2.10.3"},{"reference_url":"https://nokogiri.org/CHANGELOG.html#1139-2022-10-18","reference_id":"","reference_type":"","scores":[],"url":"https://nokogiri.org/CHANGELOG.html#1139-2022-10-18"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022225","reference_id":"1022225","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022225"},{"reference_url":"http://seclists.org/fulldisclosure/2022/Dec/21","reference_id":"21","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-28T19:47:33Z/"}],"url":"http://seclists.org/fulldisclosure/2022/Dec/21"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2136288","reference_id":"2136288","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2136288"},{"reference_url":"http://seclists.org/fulldisclosure/2022/Dec/24","reference_id":"24","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-28T19:47:33Z/"}],"url":"http://seclists.org/fulldisclosure/2022/Dec/24"},{"reference_url":"http://seclists.org/fulldisclosure/2022/Dec/25","reference_id":"25","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-28T19:47:33Z/"}],"url":"http://seclists.org/fulldisclosure/2022/Dec/25"},{"reference_url":"http://seclists.org/fulldisclosure/2022/Dec/26","reference_id":"26","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-28T19:47:33Z/"}],"url":"http://seclists.org/fulldisclosure/2022/Dec/26"},{"reference_url":"http://seclists.org/fulldisclosure/2022/Dec/27","reference_id":"27","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-28T19:47:33Z/"}],"url":"http://seclists.org/fulldisclosure/2022/Dec/27"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-40304","reference_id":"CVE-2022-40304","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-40304"},{"reference_url":"https://security.gentoo.org/glsa/202210-39","reference_id":"GLSA-202210-39","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202210-39"},{"reference_url":"https://support.apple.com/kb/HT213531","reference_id":"HT213531","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-28T19:47:33Z/"}],"url":"https://support.apple.com/kb/HT213531"},{"reference_url":"https://support.apple.com/kb/HT213533","reference_id":"HT213533","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-28T19:47:33Z/"}],"url":"https://support.apple.com/kb/HT213533"},{"reference_url":"https://support.apple.com/kb/HT213534","reference_id":"HT213534","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-28T19:47:33Z/"}],"url":"https://support.apple.com/kb/HT213534"},{"reference_url":"https://support.apple.com/kb/HT213535","reference_id":"HT213535","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-28T19:47:33Z/"}],"url":"https://support.apple.com/kb/HT213535"},{"reference_url":"https://support.apple.com/kb/HT213536","reference_id":"HT213536","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-28T19:47:33Z/"}],"url":"https://support.apple.com/kb/HT213536"},{"reference_url":"https://security.netapp.com/advisory/ntap-20221209-0003/","reference_id":"ntap-20221209-0003","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-28T19:47:33Z/"}],"url":"https://security.netapp.com/advisory/ntap-20221209-0003/"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:8841","reference_id":"RHSA-2022:8841","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:8841"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:0173","reference_id":"RHSA-2023:0173","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:0173"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:0338","reference_id":"RHSA-2023:0338","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:0338"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0413","reference_id":"RHSA-2024:0413","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0413"},{"reference_url":"https://usn.ubuntu.com/5760-1/","reference_id":"USN-5760-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5760-1/"},{"reference_url":"https://usn.ubuntu.com/5760-2/","reference_id":"USN-5760-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5760-2/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/145080?format=json","purl":"pkg:gem/nokogiri@1.13.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-66gp-78uh-aqem"},{"vulnerability":"VCID-67gm-m1up-gfaf"},{"vulnerability":"VCID-chdv-jk6d-uuga"},{"vulnerability":"VCID-d13x-y75t-2ugx"},{"vulnerability":"VCID-e2q6-558r-4kam"},{"vulnerability":"VCID-gvjg-dk1p-2uek"},{"vulnerability":"VCID-mgf4-zdnr-tba4"},{"vulnerability":"VCID-p6m6-7kgc-y3g8"},{"vulnerability":"VCID-pb6j-zdqw-g7cj"},{"vulnerability":"VCID-q3td-7t4g-57ba"},{"vulnerability":"VCID-qhx2-j1jc-cyev"},{"vulnerability":"VCID-u6wn-nety-sbde"},{"vulnerability":"VCID-wnj6-hc4g-ykfs"},{"vulnerability":"VCID-yrjg-2aw9-effx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.9"}],"aliases":["CVE-2022-40304"],"risk_score":3.5,"exploitability":"0.5","weighted_severity":"7.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5g9a-2484-rucp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56679?format=json","vulnerability_id":"VCID-66gp-78uh-aqem","summary":"Duplicate Advisory: Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171\nNokogiri v1.18.3 upgrades its dependency libxml2 to\n[v2.13.6](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.6).\n\nlibxml2 v2.13.6 addresses:\n\n- CVE-2025-24928\n- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847\n- CVE-2024-56171\n- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828","references":[{"reference_url":"https://github.com/sparklemotion/nokogiri","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri"},{"reference_url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vvfq-8hwr-qm4m","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vvfq-8hwr-qm4m"},{"reference_url":"https://github.com/advisories/GHSA-5mwf-688x-mr7x","reference_id":"GHSA-5mwf-688x-mr7x","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-5mwf-688x-mr7x"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-vvfq-8hwr-qm4m.yml","reference_id":"GHSA-vvfq-8hwr-qm4m.yml","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-vvfq-8hwr-qm4m.yml"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/84149?format=json","purl":"pkg:gem/nokogiri@1.18.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-67gm-m1up-gfaf"},{"vulnerability":"VCID-d13x-y75t-2ugx"},{"vulnerability":"VCID-mgf4-zdnr-tba4"},{"vulnerability":"VCID-pb6j-zdqw-g7cj"},{"vulnerability":"VCID-u6wn-nety-sbde"},{"vulnerability":"VCID-wnj6-hc4g-ykfs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.18.3"}],"aliases":["GHSA-5mwf-688x-mr7x"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-66gp-78uh-aqem"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51491?format=json","vulnerability_id":"VCID-67gm-m1up-gfaf","summary":"Nokogiri CSS selector tokenizer has regular expression backtracking\n## Summary\n\nNokogiri's CSS selector tokenizer contains regular expressions whose construction may result in exponential regex backtracking on adversarial selectors. Three ReDoS vectors are addressed in this release:\n\n1. String-literal tokenization on certain unterminated quoted-string input.\n2. String-literal tokenization on a separate class of hex-escape-rich input.\n3. Identifier tokenization on hex-escape-rich input.\n\nThe public CSS selector methods that funnel through the affected tokenizer are `Nokogiri::CSS.xpath_for`, `Node#css`, `Node#at_css`, `Searchable#search`, and `CSS::Parser#parse`.\n\n\n## Mitigation\n\nUpgrade to Nokogiri `>= 1.19.3`.\n\nIf users are unable to upgrade, two options are available:\n\n- Avoid the use of attacker-controlled text in CSS selectors. Applications that only pass developer-authored selectors to Nokogiri are not directly exposed.\n- Set global `Regexp.timeout` (Ruby 3.2+, JRuby 9.4+) to bound parse time.\n\n## Severity\n\nThe Nokogiri maintainers have evaluated this as **High Severity** (CVSS 7.5, `AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`).\n\nAn attacker able to inject user-supplied text into a CSS selector parse method can cause exponential backtracking, resulting in a potential denial of service.\n\n\n## Resources\n\n- [CWE-1333: Inefficient Regular Expression Complexity](https://cwe.mitre.org/data/definitions/1333.html)\n\n\n## Credit\n\nVector 1 was responsibly reported by @colby-swandale. Vectors 2 and 3 were discovered by @flavorjones during the response to the original report.","references":[{"reference_url":"https://github.com/sparklemotion/nokogiri","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri"},{"reference_url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-c4rq-3m3g-8wgx","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-c4rq-3m3g-8wgx"},{"reference_url":"https://github.com/advisories/GHSA-c4rq-3m3g-8wgx","reference_id":"GHSA-c4rq-3m3g-8wgx","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-c4rq-3m3g-8wgx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/114534?format=json","purl":"pkg:gem/nokogiri@1.19.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.19.3"}],"aliases":["GHSA-c4rq-3m3g-8wgx"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-67gm-m1up-gfaf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42531?format=json","vulnerability_id":"VCID-74wj-a72v-s3gk","summary":"Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in nokogiri.","references":[{"reference_url":"https://github.com/sparklemotion/nokogiri","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri"},{"reference_url":"https://github.com/advisories/GHSA-fq42-c5rg-92c2","reference_id":"GHSA-fq42-c5rg-92c2","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fq42-c5rg-92c2"},{"reference_url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2","reference_id":"GHSA-fq42-c5rg-92c2","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60810?format=json","purl":"pkg:gem/nokogiri@1.13.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5838-r3hp-wke4"},{"vulnerability":"VCID-5g9a-2484-rucp"},{"vulnerability":"VCID-66gp-78uh-aqem"},{"vulnerability":"VCID-67gm-m1up-gfaf"},{"vulnerability":"VCID-aef6-wkbr-1kfb"},{"vulnerability":"VCID-chdv-jk6d-uuga"},{"vulnerability":"VCID-d13x-y75t-2ugx"},{"vulnerability":"VCID-e2q6-558r-4kam"},{"vulnerability":"VCID-gvjg-dk1p-2uek"},{"vulnerability":"VCID-ktyd-dgdw-pber"},{"vulnerability":"VCID-mgf4-zdnr-tba4"},{"vulnerability":"VCID-p6m6-7kgc-y3g8"},{"vulnerability":"VCID-pb6j-zdqw-g7cj"},{"vulnerability":"VCID-pr2j-1118-hqaa"},{"vulnerability":"VCID-q3td-7t4g-57ba"},{"vulnerability":"VCID-qa31-1xtw-ybdg"},{"vulnerability":"VCID-qkq6-n1ds-x7e5"},{"vulnerability":"VCID-tggj-xch8-jqcv"},{"vulnerability":"VCID-u2yz-dthy-1fdr"},{"vulnerability":"VCID-u6wn-nety-sbde"},{"vulnerability":"VCID-wnj6-hc4g-ykfs"},{"vulnerability":"VCID-yrjg-2aw9-effx"},{"vulnerability":"VCID-zudy-xe9p-3fgm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.2"}],"aliases":["GHSA-fq42-c5rg-92c2","GMS-2022-163"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-74wj-a72v-s3gk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42882?format=json","vulnerability_id":"VCID-aef6-wkbr-1kfb","summary":"Out-of-bounds Write in zlib affects Nokogiri\n## Summary\n\nNokogiri v1.13.4 updates the vendored zlib from 1.2.11 to 1.2.12, which addresses [CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032). That CVE is scored as CVSS 7.4 \"High\" on the NVD record as of 2022-04-05.\n\nPlease note that this advisory only applies to the CRuby implementation of Nokogiri `< 1.13.4`, and only if the packaged version of `zlib` is being used. Please see [this document](https://nokogiri.org/LICENSE-DEPENDENCIES.html#default-platform-release-ruby) for a complete description of which platform gems vendor `zlib`. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's `zlib` release announcements. \n\n## Mitigation\n\nUpgrade to Nokogiri `>= v1.13.4`.\n\n## Impact\n\n### [CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032) in zlib\n\n- **Severity**: High\n- **Type**: [CWE-787](https://cwe.mitre.org/data/definitions/787.html) Out of bounds write\n- **Description**: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.","references":[{"reference_url":"https://github.com/sparklemotion/nokogiri","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri"},{"reference_url":"https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4"},{"reference_url":"https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-25032","reference_id":"CVE-2018-25032","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-25032"},{"reference_url":"https://github.com/advisories/GHSA-jc36-42cf-vqwj","reference_id":"GHSA-jc36-42cf-vqwj","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jc36-42cf-vqwj"},{"reference_url":"https://github.com/advisories/GHSA-v6gp-9mmm-c6p5","reference_id":"GHSA-v6gp-9mmm-c6p5","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v6gp-9mmm-c6p5"},{"reference_url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5","reference_id":"GHSA-v6gp-9mmm-c6p5","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/61129?format=json","purl":"pkg:gem/nokogiri@1.13.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5838-r3hp-wke4"},{"vulnerability":"VCID-5g9a-2484-rucp"},{"vulnerability":"VCID-66gp-78uh-aqem"},{"vulnerability":"VCID-67gm-m1up-gfaf"},{"vulnerability":"VCID-chdv-jk6d-uuga"},{"vulnerability":"VCID-d13x-y75t-2ugx"},{"vulnerability":"VCID-e2q6-558r-4kam"},{"vulnerability":"VCID-gvjg-dk1p-2uek"},{"vulnerability":"VCID-ktyd-dgdw-pber"},{"vulnerability":"VCID-mgf4-zdnr-tba4"},{"vulnerability":"VCID-p6m6-7kgc-y3g8"},{"vulnerability":"VCID-pb6j-zdqw-g7cj"},{"vulnerability":"VCID-pr2j-1118-hqaa"},{"vulnerability":"VCID-q3td-7t4g-57ba"},{"vulnerability":"VCID-qa31-1xtw-ybdg"},{"vulnerability":"VCID-u6wn-nety-sbde"},{"vulnerability":"VCID-wnj6-hc4g-ykfs"},{"vulnerability":"VCID-yrjg-2aw9-effx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.4"}],"aliases":["GHSA-v6gp-9mmm-c6p5","GMS-2022-787"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-aef6-wkbr-1kfb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4945?format=json","vulnerability_id":"VCID-bgcq-x9bd-83ap","summary":"arbitrary code execution","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23308.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23308.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-23308","reference_id":"","reference_type":"","scores":[{"value":"0.00074","scoring_system":"epss","scoring_elements":"0.22494","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00074","scoring_system":"epss","scoring_elements":"0.22578","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00074","scoring_system":"epss","scoring_elements":"0.22565","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-23308"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23308","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23308"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/GNOME/libxml2/commit/652dd12a858989b14eed4e84e453059cd3ba340e","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/GNOME/libxml2/commit/652dd12a858989b14eed4e84e453059cd3ba340e"},{"reference_url":"https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.2","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.2"},{"reference_url":"https://gitlab.gnome.org/GNOME/libxml2/-/blob/v2.9.13/NEWS","reference_id":"","reference_type":"","scores":[],"url":"https://gitlab.gnome.org/GNOME/libxml2/-/blob/v2.9.13/NEWS"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006489","reference_id":"1006489","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006489"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2056913","reference_id":"2056913","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2056913"},{"reference_url":"https://security.archlinux.org/AVG-2726","reference_id":"AVG-2726","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2726"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23308","reference_id":"CVE-2022-23308","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23308"},{"reference_url":"https://security.gentoo.org/glsa/202210-03","reference_id":"GLSA-202210-03","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202210-03"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:0899","reference_id":"RHSA-2022:0899","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:0899"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:1389","reference_id":"RHSA-2022:1389","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:1389"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:1390","reference_id":"RHSA-2022:1390","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:1390"},{"reference_url":"https://usn.ubuntu.com/5324-1/","reference_id":"USN-5324-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5324-1/"},{"reference_url":"https://usn.ubuntu.com/5422-1/","reference_id":"USN-5422-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5422-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60810?format=json","purl":"pkg:gem/nokogiri@1.13.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5838-r3hp-wke4"},{"vulnerability":"VCID-5g9a-2484-rucp"},{"vulnerability":"VCID-66gp-78uh-aqem"},{"vulnerability":"VCID-67gm-m1up-gfaf"},{"vulnerability":"VCID-aef6-wkbr-1kfb"},{"vulnerability":"VCID-chdv-jk6d-uuga"},{"vulnerability":"VCID-d13x-y75t-2ugx"},{"vulnerability":"VCID-e2q6-558r-4kam"},{"vulnerability":"VCID-gvjg-dk1p-2uek"},{"vulnerability":"VCID-ktyd-dgdw-pber"},{"vulnerability":"VCID-mgf4-zdnr-tba4"},{"vulnerability":"VCID-p6m6-7kgc-y3g8"},{"vulnerability":"VCID-pb6j-zdqw-g7cj"},{"vulnerability":"VCID-pr2j-1118-hqaa"},{"vulnerability":"VCID-q3td-7t4g-57ba"},{"vulnerability":"VCID-qa31-1xtw-ybdg"},{"vulnerability":"VCID-qkq6-n1ds-x7e5"},{"vulnerability":"VCID-tggj-xch8-jqcv"},{"vulnerability":"VCID-u2yz-dthy-1fdr"},{"vulnerability":"VCID-u6wn-nety-sbde"},{"vulnerability":"VCID-wnj6-hc4g-ykfs"},{"vulnerability":"VCID-yrjg-2aw9-effx"},{"vulnerability":"VCID-zudy-xe9p-3fgm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.2"}],"aliases":["CVE-2022-23308"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bgcq-x9bd-83ap"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51499?format=json","vulnerability_id":"VCID-chdv-jk6d-uuga","summary":"Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171\n## Summary\n\nNokogiri v1.18.3 upgrades its dependency libxml2 to\n[v2.13.6](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.6).\n\nlibxml2 v2.13.6 addresses:\n\n- CVE-2025-24928\n  - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847\n- CVE-2024-56171\n   - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828\n\n## Impact\n\n### CVE-2025-24928\n\nStack-buffer overflow is possible when reporting DTD validation\nerrors if the input contains a long (~3kb) QName prefix.\n\n### CVE-2024-56171\n\nUse-after-free is possible during validation against untrusted\nXML Schemas (.xsd) and, potentially, validation of untrusted documents\nagainst trusted Schemas if they make use of `xsd:keyref` in combination\nwith recursively defined types that have additional identity constraints.","references":[{"reference_url":"https://github.com/sparklemotion/nokogiri","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri"},{"reference_url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vvfq-8hwr-qm4m","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vvfq-8hwr-qm4m"},{"reference_url":"https://github.com/advisories/GHSA-vvfq-8hwr-qm4m","reference_id":"GHSA-vvfq-8hwr-qm4m","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-vvfq-8hwr-qm4m"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-vvfq-8hwr-qm4m.yml","reference_id":"GHSA-vvfq-8hwr-qm4m.yml","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-vvfq-8hwr-qm4m.yml"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/84149?format=json","purl":"pkg:gem/nokogiri@1.18.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-67gm-m1up-gfaf"},{"vulnerability":"VCID-d13x-y75t-2ugx"},{"vulnerability":"VCID-mgf4-zdnr-tba4"},{"vulnerability":"VCID-pb6j-zdqw-g7cj"},{"vulnerability":"VCID-u6wn-nety-sbde"},{"vulnerability":"VCID-wnj6-hc4g-ykfs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.18.3"}],"aliases":["GHSA-vvfq-8hwr-qm4m"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-chdv-jk6d-uuga"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50194?format=json","vulnerability_id":"VCID-d13x-y75t-2ugx","summary":"Nokogiri does not check the return value from xmlC14NExecute\nNokogiri's CRuby extension fails to check the return value from `xmlC14NExecute` in the method `Nokogiri::XML::Document#canonicalize` and `Nokogiri::XML::Node#canonicalize`. When canonicalization fails, an empty string is returned instead of raising an exception. This incorrect return value may allow downstream libraries to accept invalid or incomplete canonicalized XML, which has been demonstrated to enable signature validation bypass in SAML libraries.\n\nJRuby is not affected, as the Java implementation correctly raises `RuntimeError` on canonicalization failure.","references":[{"reference_url":"https://github.com/sparklemotion/nokogiri","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri"},{"reference_url":"https://github.com/advisories/GHSA-wx95-c6cv-8532","reference_id":"GHSA-wx95-c6cv-8532","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wx95-c6cv-8532"},{"reference_url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wx95-c6cv-8532","reference_id":"GHSA-wx95-c6cv-8532","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wx95-c6cv-8532"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74105?format=json","purl":"pkg:gem/nokogiri@1.19.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-67gm-m1up-gfaf"},{"vulnerability":"VCID-d13x-y75t-2ugx"},{"vulnerability":"VCID-mgf4-zdnr-tba4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.19.1"}],"aliases":["GHSA-wx95-c6cv-8532"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d13x-y75t-2ugx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54806?format=json","vulnerability_id":"VCID-e2q6-558r-4kam","summary":"Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459\nNokogiri v1.16.5 upgrades its dependency libxml2 to\n[2.12.7](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7) from 2.12.6.\n\nlibxml2 v2.12.7 addresses CVE-2024-34459:\n\n- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/720\n- patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac53","references":[{"reference_url":"https://github.com/sparklemotion/nokogiri","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri"},{"reference_url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-r95h-9x8f-r3f7","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-r95h-9x8f-r3f7"},{"reference_url":"https://gitlab.gnome.org/GNOME/libxml2/-/issues/720","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://gitlab.gnome.org/GNOME/libxml2/-/issues/720"},{"reference_url":"https://github.com/advisories/GHSA-r3w4-36x6-7r99","reference_id":"GHSA-r3w4-36x6-7r99","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r3w4-36x6-7r99"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-r95h-9x8f-r3f7.yml","reference_id":"GHSA-r95h-9x8f-r3f7.yml","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-r95h-9x8f-r3f7.yml"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81252?format=json","purl":"pkg:gem/nokogiri@1.16.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-66gp-78uh-aqem"},{"vulnerability":"VCID-67gm-m1up-gfaf"},{"vulnerability":"VCID-chdv-jk6d-uuga"},{"vulnerability":"VCID-d13x-y75t-2ugx"},{"vulnerability":"VCID-mgf4-zdnr-tba4"},{"vulnerability":"VCID-pb6j-zdqw-g7cj"},{"vulnerability":"VCID-u6wn-nety-sbde"},{"vulnerability":"VCID-wnj6-hc4g-ykfs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.16.5"}],"aliases":["GHSA-r3w4-36x6-7r99"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e2q6-558r-4kam"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47263?format=json","vulnerability_id":"VCID-gvjg-dk1p-2uek","summary":"Duplicate Advisory: Use-after-free in libxml2 via Nokogiri::XML::Reader\nNokogiri upgrades its dependency libxml2 as follows:\n- v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6\n- v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4\n\nlibxml2 v2.11.7 and v2.12.5 address the following vulnerability:\n\nCVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062\n- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604\n- patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970\n\nPlease note that this advisory only applies to the CRuby implementation of Nokogiri, and only if\nthe packaged libraries are being used. If you've overridden defaults at installation time to use\nsystem libraries instead of packaged libraries, you should instead pay attention to your distro's\nlibxml2 release announcements.\n\nJRuby users are not affected.","references":[{"reference_url":"https://github.com/sparklemotion/nokogiri","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri"},{"reference_url":"https://github.com/advisories/GHSA-vcc3-rw6f-jv97","reference_id":"GHSA-vcc3-rw6f-jv97","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vcc3-rw6f-jv97"},{"reference_url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j","reference_id":"GHSA-xc9x-jj77-9p9j","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-xc9x-jj77-9p9j.yml","reference_id":"GHSA-xc9x-jj77-9p9j.yml","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-xc9x-jj77-9p9j.yml"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/68770?format=json","purl":"pkg:gem/nokogiri@1.15.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-66gp-78uh-aqem"},{"vulnerability":"VCID-67gm-m1up-gfaf"},{"vulnerability":"VCID-chdv-jk6d-uuga"},{"vulnerability":"VCID-d13x-y75t-2ugx"},{"vulnerability":"VCID-e2q6-558r-4kam"},{"vulnerability":"VCID-mgf4-zdnr-tba4"},{"vulnerability":"VCID-pb6j-zdqw-g7cj"},{"vulnerability":"VCID-q3td-7t4g-57ba"},{"vulnerability":"VCID-u6wn-nety-sbde"},{"vulnerability":"VCID-wnj6-hc4g-ykfs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.15.6"},{"url":"http://public2.vulnerablecode.io/api/packages/68769?format=json","purl":"pkg:gem/nokogiri@1.16.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-66gp-78uh-aqem"},{"vulnerability":"VCID-67gm-m1up-gfaf"},{"vulnerability":"VCID-chdv-jk6d-uuga"},{"vulnerability":"VCID-d13x-y75t-2ugx"},{"vulnerability":"VCID-e2q6-558r-4kam"},{"vulnerability":"VCID-mgf4-zdnr-tba4"},{"vulnerability":"VCID-pb6j-zdqw-g7cj"},{"vulnerability":"VCID-q3td-7t4g-57ba"},{"vulnerability":"VCID-u6wn-nety-sbde"},{"vulnerability":"VCID-wnj6-hc4g-ykfs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.16.2"}],"aliases":["GHSA-vcc3-rw6f-jv97"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gvjg-dk1p-2uek"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51506?format=json","vulnerability_id":"VCID-ktyd-dgdw-pber","summary":"Improper Handling of Unexpected Data Type in Nokogiri\n### Summary\n\nNokogiri `< v1.13.6` does not type-check all inputs into the XML and HTML4 SAX parsers.\nFor CRuby users, this may allow specially crafted untrusted inputs to cause illegal\nmemory access errors (segfault) or reads from unrelated memory.\n\n### Severity\n\nThe Nokogiri maintainers have evaluated this as **High 8.2** (CVSS3.1).\n\n### Mitigation\n\nCRuby users should upgrade to Nokogiri `>= 1.13.6`.\n\nJRuby users are not affected.\n\n### Workarounds\n\nTo avoid this vulnerability in affected applications, ensure the untrusted input is a\n`String` by calling `#to_s` or equivalent.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-29181.json","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-29181.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-29181","reference_id":"","reference_type":"","scores":[{"value":"0.04183","scoring_system":"epss","scoring_elements":"0.88916","published_at":"2026-06-06T12:55:00Z"},{"value":"0.04183","scoring_system":"epss","scoring_elements":"0.88898","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-29181"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29181","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29181"},{"reference_url":"http://seclists.org/fulldisclosure/2022/Dec/23","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://seclists.org/fulldisclosure/2022/Dec/23"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2022-29181.yml","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2022-29181.yml"},{"reference_url":"https://github.com/sparklemotion/nokogiri","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri"},{"reference_url":"https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:41:19Z/"}],"url":"https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7"},{"reference_url":"https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:41:19Z/"}],"url":"https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267"},{"reference_url":"https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.6","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:41:19Z/"}],"url":"https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.6"},{"reference_url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3","scoring_elements":""},{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:41:19Z/"}],"url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-29181","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-29181"},{"reference_url":"https://security.gentoo.org/glsa/202208-29","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.gentoo.org/glsa/202208-29"},{"reference_url":"https://securitylab.github.com/advisories/GHSL-2022-031_GHSL-2022-032_Nokogiri","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:41:19Z/"}],"url":"https://securitylab.github.com/advisories/GHSL-2022-031_GHSL-2022-032_Nokogiri"},{"reference_url":"https://support.apple.com/kb/HT213532","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://support.apple.com/kb/HT213532"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2088684","reference_id":"2088684","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2088684"},{"reference_url":"https://github.com/advisories/GHSA-xh29-r2w5-wx8m","reference_id":"GHSA-xh29-r2w5-wx8m","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-xh29-r2w5-wx8m"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:8506","reference_id":"RHSA-2022:8506","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:8506"},{"reference_url":"https://usn.ubuntu.com/7659-1/","reference_id":"USN-7659-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7659-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/155631?format=json","purl":"pkg:gem/nokogiri@1.13.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5g9a-2484-rucp"},{"vulnerability":"VCID-66gp-78uh-aqem"},{"vulnerability":"VCID-67gm-m1up-gfaf"},{"vulnerability":"VCID-chdv-jk6d-uuga"},{"vulnerability":"VCID-d13x-y75t-2ugx"},{"vulnerability":"VCID-e2q6-558r-4kam"},{"vulnerability":"VCID-gvjg-dk1p-2uek"},{"vulnerability":"VCID-mgf4-zdnr-tba4"},{"vulnerability":"VCID-p6m6-7kgc-y3g8"},{"vulnerability":"VCID-pb6j-zdqw-g7cj"},{"vulnerability":"VCID-pr2j-1118-hqaa"},{"vulnerability":"VCID-q3td-7t4g-57ba"},{"vulnerability":"VCID-qa31-1xtw-ybdg"},{"vulnerability":"VCID-u6wn-nety-sbde"},{"vulnerability":"VCID-wnj6-hc4g-ykfs"},{"vulnerability":"VCID-yrjg-2aw9-effx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.6"}],"aliases":["CVE-2022-29181","GHSA-xh29-r2w5-wx8m"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ktyd-dgdw-pber"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51497?format=json","vulnerability_id":"VCID-mgf4-zdnr-tba4","summary":"Nokogiri XSLT transform has a memory leak\n## Summary\n\nNokogiri's `Nokogiri::XSLT::Stylesheet#transform` leaks a small heap allocation when passed a Ruby string parameter containing a null byte.\n\nFor applications that pass attacker-controlled input through `XSLT.transform` parameters, this may be a vector for a denial of service attack against long-running processes.\n\n\n## Mitigation\n\nUpgrade to Nokogiri `>= 1.19.3`.\n\nUsers may also be able to mitigate this issue without upgrading by validating untrusted transform parameters before passing them to `Nokogiri::XSLT::Stylesheet#transform`.\n\n\n## Severity\n\nThe Nokogiri maintainers have evaluated this as **Moderate Severity**, CVSS 5.3.\n\nEach leaked allocation is approximately 24–32 bytes, so meaningful memory growth requires sustained attacker-controlled traffic at high call rates. The bug does not cause memory corruption, information disclosure, or any change in the behavior of the transform itself, and the string-handling exception is raised as expected.\n\nApplications that do not pass raw attacker-controlled bytes to XSLT parameters are unlikely to be affected in practice.\n\n\n## Resources\n\n- [CWE-401: Missing Release of Memory after Effective Lifetime](https://cwe.mitre.org/data/definitions/401.html)\n\n\n## Credit\n\nThis vulnerability was responsibly reported by @Captainjack-kor.","references":[{"reference_url":"https://github.com/sparklemotion/nokogiri","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri"},{"reference_url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v2fc-qm4h-8hqv","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v2fc-qm4h-8hqv"},{"reference_url":"https://github.com/advisories/GHSA-v2fc-qm4h-8hqv","reference_id":"GHSA-v2fc-qm4h-8hqv","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-v2fc-qm4h-8hqv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/114534?format=json","purl":"pkg:gem/nokogiri@1.19.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.19.3"}],"aliases":["GHSA-v2fc-qm4h-8hqv"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mgf4-zdnr-tba4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46947?format=json","vulnerability_id":"VCID-p6m6-7kgc-y3g8","summary":"Duplicate\nThis advisory duplicates another.","references":[{"reference_url":"https://github.com/sparklemotion/nokogiri","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri"},{"reference_url":"https://github.com/sparklemotion/nokogiri/discussions/3146","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/discussions/3146"},{"reference_url":"https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970"},{"reference_url":"https://gitlab.gnome.org/GNOME/libxml2/-/issues/604","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://gitlab.gnome.org/GNOME/libxml2/-/issues/604"},{"reference_url":"https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.5","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.5"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-25062","reference_id":"CVE-2024-25062","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-25062"},{"reference_url":"https://github.com/advisories/GHSA-xc9x-jj77-9p9j","reference_id":"GHSA-xc9x-jj77-9p9j","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xc9x-jj77-9p9j"},{"reference_url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j","reference_id":"GHSA-xc9x-jj77-9p9j","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-xc9x-jj77-9p9j.yml","reference_id":"GHSA-xc9x-jj77-9p9j.yml","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-xc9x-jj77-9p9j.yml"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/68770?format=json","purl":"pkg:gem/nokogiri@1.15.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-66gp-78uh-aqem"},{"vulnerability":"VCID-67gm-m1up-gfaf"},{"vulnerability":"VCID-chdv-jk6d-uuga"},{"vulnerability":"VCID-d13x-y75t-2ugx"},{"vulnerability":"VCID-e2q6-558r-4kam"},{"vulnerability":"VCID-mgf4-zdnr-tba4"},{"vulnerability":"VCID-pb6j-zdqw-g7cj"},{"vulnerability":"VCID-q3td-7t4g-57ba"},{"vulnerability":"VCID-u6wn-nety-sbde"},{"vulnerability":"VCID-wnj6-hc4g-ykfs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.15.6"},{"url":"http://public2.vulnerablecode.io/api/packages/169016?format=json","purl":"pkg:gem/nokogiri@1.16.0.rc1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-66gp-78uh-aqem"},{"vulnerability":"VCID-67gm-m1up-gfaf"},{"vulnerability":"VCID-chdv-jk6d-uuga"},{"vulnerability":"VCID-d13x-y75t-2ugx"},{"vulnerability":"VCID-e2q6-558r-4kam"},{"vulnerability":"VCID-mgf4-zdnr-tba4"},{"vulnerability":"VCID-p6m6-7kgc-y3g8"},{"vulnerability":"VCID-pb6j-zdqw-g7cj"},{"vulnerability":"VCID-q3td-7t4g-57ba"},{"vulnerability":"VCID-u6wn-nety-sbde"},{"vulnerability":"VCID-wnj6-hc4g-ykfs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.16.0.rc1"},{"url":"http://public2.vulnerablecode.io/api/packages/68769?format=json","purl":"pkg:gem/nokogiri@1.16.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-66gp-78uh-aqem"},{"vulnerability":"VCID-67gm-m1up-gfaf"},{"vulnerability":"VCID-chdv-jk6d-uuga"},{"vulnerability":"VCID-d13x-y75t-2ugx"},{"vulnerability":"VCID-e2q6-558r-4kam"},{"vulnerability":"VCID-mgf4-zdnr-tba4"},{"vulnerability":"VCID-pb6j-zdqw-g7cj"},{"vulnerability":"VCID-q3td-7t4g-57ba"},{"vulnerability":"VCID-u6wn-nety-sbde"},{"vulnerability":"VCID-wnj6-hc4g-ykfs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.16.2"}],"aliases":["GHSA-xc9x-jj77-9p9j","GMS-2024-127"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p6m6-7kgc-y3g8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51501?format=json","vulnerability_id":"VCID-pb6j-zdqw-g7cj","summary":"Nokogiri patches vendored libxml2 to resolve multiple CVEs\n## Summary\n\nNokogiri v1.18.9 patches the vendored libxml2 to address\nCVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795,\nand CVE-2025-49796.\n\n## Impact and severity\n\n### CVE-2025-6021\n\nA flaw was found in libxml2's xmlBuildQName function, where integer\noverflows in buffer size calculations can lead to a stack-based\nbuffer overflow. This issue can result in memory corruption or a\ndenial of service when processing crafted input.\n\nNVD claims a severity of 7.5 High\n(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\nFixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/17d950ae\n\n### CVE-2025-6170\n\nA flaw was found in the interactive shell of the xmllint command-line\ntool, used for parsing XML files. When a user inputs an overly long\ncommand, the program does not check the input size properly, which\ncan cause it to crash. This issue might allow attackers to run\nharmful code in rare configurations without modern protections.\n\nNVD claims a severity of 2.5 Low\n(CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\nFixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/5e9ec5c1\n\n### CVE-2025-49794\n\nA use-after-free vulnerability was found in libxml2. This issue\noccurs when parsing XPath elements under certain circumstances when\nthe XML schematron has the <sch:name path=\"...\"/> schema elements.\nThis flaw allows a malicious actor to craft a malicious XML document\nused as input for libxml, resulting in the program's crash using\nlibxml or other possible undefined behaviors.\n\nNVD claims a severity of 9.1 Critical\n(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)\n\nFixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5\n\n### CVE-2025-49795\n\nA NULL pointer dereference vulnerability was found in libxml2 when\nprocessing XPath XML expressions. This flaw allows an attacker to\ncraft a malicious XML input to libxml2, leading to a denial of service.\n\nNVD claims a severity of 7.5 High\n(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\nFixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/62048278\n\n### CVE-2025-49796\n\nA vulnerability was found in libxml2. Processing certain sch:name\nelements from the input XML file can trigger a memory corruption\nissue. This flaw allows an attacker to craft a malicious XML input\nfile that can lead libxml to crash, resulting in a denial of service\nor other possible undefined behavior due to sensitive data being\ncorrupted in memory.\n\nNVD claims a severity of 9.1 Critical\n(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)\n\nFixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5\n\n## Affected Versions\n\n- Nokogiri < 1.18.9 when using CRuby (MRI) with vendored libxml2\n\n## Patched Versions\n\n- Nokogiri >= 1.18.9\n\n## Mitigation\n\nUpgrade to Nokogiri v1.18.9 or later.\n\nUsers who are unable to upgrade Nokogiri may also choose a more\ncomplicated mitigation: compile and link Nokogiri against patched\nexternal libxml2 libraries which will also address these same issues.","references":[{"reference_url":"https://github.com/sparklemotion/nokogiri","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri"},{"reference_url":"https://github.com/sparklemotion/nokogiri/pull/3526","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/pull/3526"},{"reference_url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-353f-x4gh-cqq8","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-353f-x4gh-cqq8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-49794","reference_id":"CVE-2025-49794","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-49794"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-49795","reference_id":"CVE-2025-49795","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-49795"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-49796","reference_id":"CVE-2025-49796","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-49796"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6021","reference_id":"CVE-2025-6021","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6021"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6170","reference_id":"CVE-2025-6170","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6170"},{"reference_url":"https://github.com/advisories/GHSA-353f-x4gh-cqq8","reference_id":"GHSA-353f-x4gh-cqq8","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-353f-x4gh-cqq8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/85837?format=json","purl":"pkg:gem/nokogiri@1.18.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-67gm-m1up-gfaf"},{"vulnerability":"VCID-d13x-y75t-2ugx"},{"vulnerability":"VCID-mgf4-zdnr-tba4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.18.9"}],"aliases":["GHSA-353f-x4gh-cqq8"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pb6j-zdqw-g7cj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51492?format=json","vulnerability_id":"VCID-pr2j-1118-hqaa","summary":"Update bundled libxml2 to v2.10.3 to resolve multiple CVEs\n### Summary\n\nNokogiri v1.13.9 upgrades the packaged version of its dependency libxml2 to\n[v2.10.3](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.3) from\nv2.9.14.\n\nlibxml2 v2.10.3 addresses the following known vulnerabilities:\n\n- [CVE-2022-2309](https://nvd.nist.gov/vuln/detail/CVE-2022-2309)\n- [CVE-2022-40304](https://nvd.nist.gov/vuln/detail/CVE-2022-40304)\n- [CVE-2022-40303](https://nvd.nist.gov/vuln/detail/CVE-2022-40303)\n\nPlease note that this advisory only applies to the CRuby implementation of\nNokogiri `< 1.13.9`, and only if the _packaged_ libraries are being used. If\nyou've overridden defaults at installation time to use _system_ libraries\ninstead of packaged libraries, you should instead pay attention to your\ndistro's `libxml2` release announcements.\n\n\n### Mitigation\n\nUpgrade to Nokogiri `>= 1.13.9`.\n\nUsers who are unable to upgrade Nokogiri may also choose a more complicated\nmitigation: compile and link Nokogiri against external libraries libxml2\n`>= 2.10.3` which will also address these same issues.\n\n\n### Impact\n\n#### libxml2 [CVE-2022-2309](https://nvd.nist.gov/vuln/detail/CVE-2022-2309)\n\n- **CVSS3 score**: Under evaluation\n- **Type**: Denial of service\n- **Description**: NULL Pointer Dereference allows attackers to cause a denial\nof service (or application crash). This only applies when lxml is used\ntogether with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not\naffected. It allows triggering crashes through forged input data, given a\nvulnerable code sequence in the application. The vulnerability is caused by\nthe iterwalk function (also used by the canonicalize function). Such code\nshouldn't be in wide-spread use, given that parsing + iterwalk would usually\nbe replaced with the more efficient iterparse function. However, an XML\nconverter that serialises to C14N would also be vulnerable, for example, and\nthere are legitimate use cases for this code sequence. If untrusted input is\nreceived (also remotely) and processed via iterwalk function, a crash can be\ntriggered.\n\nNokogiri maintainers investigated at #2620 and determined this CVE does not\naffect Nokogiri users.\n\n\n#### libxml2 [CVE-2022-40304](https://nvd.nist.gov/vuln/detail/CVE-2022-40304)\n\n- **CVSS3 score**: Unspecified upstream\n- **Type**: Data corruption, denial of service\n- **Description**: When an entity reference cycle is detected, the entity\ncontent is cleared by setting its first byte to zero. But the entity content\nmight be allocated from a dict. In this case, the dict entry becomes corrupted\nleading to all kinds of logic errors, including memory errors like\ndouble-frees.\n\nSee https://gitlab.gnome.org/GNOME/libxml2/-/commit/644a89e080bced793295f61f18aac8cfad6bece2\n\n\n#### libxml2 [CVE-2022-40303](https://nvd.nist.gov/vuln/detail/CVE-2022-40303)\n\n- **CVSS3 score**: Unspecified upstream\n- **Type**: Integer overflow\n- **Description**: Integer overflows with XML_PARSE_HUGE\n\nSee https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0","references":[{"reference_url":"https://github.com/sparklemotion/nokogiri","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri"},{"reference_url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2qc6-mcvw-92cw","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2qc6-mcvw-92cw"},{"reference_url":"https://github.com/advisories/GHSA-2qc6-mcvw-92cw","reference_id":"GHSA-2qc6-mcvw-92cw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2qc6-mcvw-92cw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/145080?format=json","purl":"pkg:gem/nokogiri@1.13.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-66gp-78uh-aqem"},{"vulnerability":"VCID-67gm-m1up-gfaf"},{"vulnerability":"VCID-chdv-jk6d-uuga"},{"vulnerability":"VCID-d13x-y75t-2ugx"},{"vulnerability":"VCID-e2q6-558r-4kam"},{"vulnerability":"VCID-gvjg-dk1p-2uek"},{"vulnerability":"VCID-mgf4-zdnr-tba4"},{"vulnerability":"VCID-p6m6-7kgc-y3g8"},{"vulnerability":"VCID-pb6j-zdqw-g7cj"},{"vulnerability":"VCID-q3td-7t4g-57ba"},{"vulnerability":"VCID-qhx2-j1jc-cyev"},{"vulnerability":"VCID-u6wn-nety-sbde"},{"vulnerability":"VCID-wnj6-hc4g-ykfs"},{"vulnerability":"VCID-yrjg-2aw9-effx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.9"}],"aliases":["GHSA-2qc6-mcvw-92cw","GMS-2022-5550"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pr2j-1118-hqaa"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51496?format=json","vulnerability_id":"VCID-q3td-7t4g-57ba","summary":"Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459\n## Summary\n\nNokogiri v1.16.5 upgrades its dependency libxml2 to\n[2.12.7](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7) from 2.12.6.\n\nlibxml2 v2.12.7 addresses CVE-2024-34459:\n\n- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/720\n- patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac53\n\n## Impact\n\nThere is no impact to Nokogiri users because the issue is present only\nin libxml2's `xmllint` tool which Nokogiri does not provide or expose.\n\n## Timeline\n\n- 2024-05-13 05:57 EDT, libxml2 2.12.7 release is announced\n- 2024-05-13 08:30 EDT, nokogiri maintainers begin triage\n- 2024-05-13 10:05 EDT, nokogiri [v1.16.5 is released](https://github.com/sparklemotion/nokogiri/releases/tag/v1.16.5)\n  and this GHSA made public","references":[{"reference_url":"https://github.com/sparklemotion/nokogiri","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri"},{"reference_url":"https://github.com/sparklemotion/nokogiri/releases/tag/v1.16.5","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/releases/tag/v1.16.5"},{"reference_url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-r95h-9x8f-r3f7","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-r95h-9x8f-r3f7"},{"reference_url":"https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac53","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac53"},{"reference_url":"https://gitlab.gnome.org/GNOME/libxml2/-/issues/720","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://gitlab.gnome.org/GNOME/libxml2/-/issues/720"},{"reference_url":"https://github.com/advisories/GHSA-r95h-9x8f-r3f7","reference_id":"GHSA-r95h-9x8f-r3f7","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r95h-9x8f-r3f7"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-r95h-9x8f-r3f7.yml","reference_id":"GHSA-r95h-9x8f-r3f7.yml","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-r95h-9x8f-r3f7.yml"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81252?format=json","purl":"pkg:gem/nokogiri@1.16.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-66gp-78uh-aqem"},{"vulnerability":"VCID-67gm-m1up-gfaf"},{"vulnerability":"VCID-chdv-jk6d-uuga"},{"vulnerability":"VCID-d13x-y75t-2ugx"},{"vulnerability":"VCID-mgf4-zdnr-tba4"},{"vulnerability":"VCID-pb6j-zdqw-g7cj"},{"vulnerability":"VCID-u6wn-nety-sbde"},{"vulnerability":"VCID-wnj6-hc4g-ykfs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.16.5"}],"aliases":["GHSA-r95h-9x8f-r3f7"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q3td-7t4g-57ba"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78000?format=json","vulnerability_id":"VCID-qa31-1xtw-ybdg","summary":"An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40303.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40303.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-40303","reference_id":"","reference_type":"","scores":[{"value":"0.0023","scoring_system":"epss","scoring_elements":"0.45889","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0023","scoring_system":"epss","scoring_elements":"0.45961","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0023","scoring_system":"epss","scoring_elements":"0.45957","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-40303"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40303","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40303"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40304","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40304"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-29T04:23:26Z/"}],"url":"https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0"},{"reference_url":"https://gitlab.gnome.org/GNOME/libxml2/-/tags/v2.10.3","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-29T04:23:26Z/"}],"url":"https://gitlab.gnome.org/GNOME/libxml2/-/tags/v2.10.3"},{"reference_url":"https://nokogiri.org/CHANGELOG.html#1139-2022-10-18","reference_id":"","reference_type":"","scores":[],"url":"https://nokogiri.org/CHANGELOG.html#1139-2022-10-18"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022224","reference_id":"1022224","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022224"},{"reference_url":"http://seclists.org/fulldisclosure/2022/Dec/21","reference_id":"21","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-29T04:23:26Z/"}],"url":"http://seclists.org/fulldisclosure/2022/Dec/21"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2136266","reference_id":"2136266","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2136266"},{"reference_url":"http://seclists.org/fulldisclosure/2022/Dec/24","reference_id":"24","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-29T04:23:26Z/"}],"url":"http://seclists.org/fulldisclosure/2022/Dec/24"},{"reference_url":"http://seclists.org/fulldisclosure/2022/Dec/25","reference_id":"25","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-29T04:23:26Z/"}],"url":"http://seclists.org/fulldisclosure/2022/Dec/25"},{"reference_url":"http://seclists.org/fulldisclosure/2022/Dec/26","reference_id":"26","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-29T04:23:26Z/"}],"url":"http://seclists.org/fulldisclosure/2022/Dec/26"},{"reference_url":"http://seclists.org/fulldisclosure/2022/Dec/27","reference_id":"27","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-29T04:23:26Z/"}],"url":"http://seclists.org/fulldisclosure/2022/Dec/27"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-40303","reference_id":"CVE-2022-40303","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-40303"},{"reference_url":"https://security.gentoo.org/glsa/202210-39","reference_id":"GLSA-202210-39","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202210-39"},{"reference_url":"https://support.apple.com/kb/HT213531","reference_id":"HT213531","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-29T04:23:26Z/"}],"url":"https://support.apple.com/kb/HT213531"},{"reference_url":"https://support.apple.com/kb/HT213533","reference_id":"HT213533","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-29T04:23:26Z/"}],"url":"https://support.apple.com/kb/HT213533"},{"reference_url":"https://support.apple.com/kb/HT213534","reference_id":"HT213534","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-29T04:23:26Z/"}],"url":"https://support.apple.com/kb/HT213534"},{"reference_url":"https://support.apple.com/kb/HT213535","reference_id":"HT213535","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-29T04:23:26Z/"}],"url":"https://support.apple.com/kb/HT213535"},{"reference_url":"https://support.apple.com/kb/HT213536","reference_id":"HT213536","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-29T04:23:26Z/"}],"url":"https://support.apple.com/kb/HT213536"},{"reference_url":"https://security.netapp.com/advisory/ntap-20221209-0003/","reference_id":"ntap-20221209-0003","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-29T04:23:26Z/"}],"url":"https://security.netapp.com/advisory/ntap-20221209-0003/"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:8841","reference_id":"RHSA-2022:8841","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:8841"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:0173","reference_id":"RHSA-2023:0173","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:0173"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:0338","reference_id":"RHSA-2023:0338","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:0338"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0413","reference_id":"RHSA-2024:0413","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0413"},{"reference_url":"https://usn.ubuntu.com/5760-1/","reference_id":"USN-5760-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5760-1/"},{"reference_url":"https://usn.ubuntu.com/5760-2/","reference_id":"USN-5760-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5760-2/"},{"reference_url":"https://usn.ubuntu.com/7659-1/","reference_id":"USN-7659-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7659-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/145080?format=json","purl":"pkg:gem/nokogiri@1.13.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-66gp-78uh-aqem"},{"vulnerability":"VCID-67gm-m1up-gfaf"},{"vulnerability":"VCID-chdv-jk6d-uuga"},{"vulnerability":"VCID-d13x-y75t-2ugx"},{"vulnerability":"VCID-e2q6-558r-4kam"},{"vulnerability":"VCID-gvjg-dk1p-2uek"},{"vulnerability":"VCID-mgf4-zdnr-tba4"},{"vulnerability":"VCID-p6m6-7kgc-y3g8"},{"vulnerability":"VCID-pb6j-zdqw-g7cj"},{"vulnerability":"VCID-q3td-7t4g-57ba"},{"vulnerability":"VCID-qhx2-j1jc-cyev"},{"vulnerability":"VCID-u6wn-nety-sbde"},{"vulnerability":"VCID-wnj6-hc4g-ykfs"},{"vulnerability":"VCID-yrjg-2aw9-effx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.9"}],"aliases":["CVE-2022-40303"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qa31-1xtw-ybdg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42884?format=json","vulnerability_id":"VCID-qkq6-n1ds-x7e5","summary":"Inefficient Regular Expression Complexity\nNokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for this issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24836.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24836.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24836","reference_id":"","reference_type":"","scores":[{"value":"0.01827","scoring_system":"epss","scoring_elements":"0.83267","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01827","scoring_system":"epss","scoring_elements":"0.83241","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01827","scoring_system":"epss","scoring_elements":"0.83268","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24836"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24836","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24836"},{"reference_url":"http://seclists.org/fulldisclosure/2022/Dec/23","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://seclists.org/fulldisclosure/2022/Dec/23"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2022-24836.yml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2022-24836.yml"},{"reference_url":"https://github.com/sparklemotion/nokogiri","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri"},{"reference_url":"https://github.com/sparklemotion/nokogiri/commit/e444525ef1634b675cd1cf52d39f4320ef0aecfd","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/commit/e444525ef1634b675cd1cf52d39f4320ef0aecfd"},{"reference_url":"https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4"},{"reference_url":"https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00013.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00013.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DHCOWMA5PQTIQIMDENA7R2Y5BDYAIYM","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DHCOWMA5PQTIQIMDENA7R2Y5BDYAIYM"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DHCOWMA5PQTIQIMDENA7R2Y5BDYAIYM/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DHCOWMA5PQTIQIMDENA7R2Y5BDYAIYM/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OUPLBUZVM4WPFSXBEP2JS3R6LMKRTLFC","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OUPLBUZVM4WPFSXBEP2JS3R6LMKRTLFC"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OUPLBUZVM4WPFSXBEP2JS3R6LMKRTLFC/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OUPLBUZVM4WPFSXBEP2JS3R6LMKRTLFC/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMDCWRQXJQ3TFSETPCEFMQ6RR6ME5UA3","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMDCWRQXJQ3TFSETPCEFMQ6RR6ME5UA3"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMDCWRQXJQ3TFSETPCEFMQ6RR6ME5UA3/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMDCWRQXJQ3TFSETPCEFMQ6RR6ME5UA3/"},{"reference_url":"https://security.gentoo.org/glsa/202208-29","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.gentoo.org/glsa/202208-29"},{"reference_url":"https://support.apple.com/kb/HT213532","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://support.apple.com/kb/HT213532"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009787","reference_id":"1009787","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009787"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2074346","reference_id":"2074346","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2074346"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24836","reference_id":"CVE-2022-24836","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24836"},{"reference_url":"https://github.com/advisories/GHSA-crjr-9rc5-ghw8","reference_id":"GHSA-crjr-9rc5-ghw8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-crjr-9rc5-ghw8"},{"reference_url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8","reference_id":"GHSA-crjr-9rc5-ghw8","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:8506","reference_id":"RHSA-2022:8506","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:8506"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/61129?format=json","purl":"pkg:gem/nokogiri@1.13.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5838-r3hp-wke4"},{"vulnerability":"VCID-5g9a-2484-rucp"},{"vulnerability":"VCID-66gp-78uh-aqem"},{"vulnerability":"VCID-67gm-m1up-gfaf"},{"vulnerability":"VCID-chdv-jk6d-uuga"},{"vulnerability":"VCID-d13x-y75t-2ugx"},{"vulnerability":"VCID-e2q6-558r-4kam"},{"vulnerability":"VCID-gvjg-dk1p-2uek"},{"vulnerability":"VCID-ktyd-dgdw-pber"},{"vulnerability":"VCID-mgf4-zdnr-tba4"},{"vulnerability":"VCID-p6m6-7kgc-y3g8"},{"vulnerability":"VCID-pb6j-zdqw-g7cj"},{"vulnerability":"VCID-pr2j-1118-hqaa"},{"vulnerability":"VCID-q3td-7t4g-57ba"},{"vulnerability":"VCID-qa31-1xtw-ybdg"},{"vulnerability":"VCID-u6wn-nety-sbde"},{"vulnerability":"VCID-wnj6-hc4g-ykfs"},{"vulnerability":"VCID-yrjg-2aw9-effx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.4"}],"aliases":["CVE-2022-24836","GHSA-crjr-9rc5-ghw8"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qkq6-n1ds-x7e5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42886?format=json","vulnerability_id":"VCID-tggj-xch8-jqcv","summary":"XML Injection in Xerces Java affects Nokogiri\n## Summary\n\nNokogiri v1.13.4 updates the vendored `xerces:xercesImpl` from 2.12.0 to 2.12.2, which addresses [CVE-2022-23437](https://nvd.nist.gov/vuln/detail/CVE-2022-23437). That CVE is scored as CVSS 6.5 \"Medium\" on the NVD record.\n\nPlease note that this advisory only applies to the **JRuby** implementation of Nokogiri `< 1.13.4`.\n\n## Mitigation\n\nUpgrade to Nokogiri `>= v1.13.4`.\n\n## Impact\n\n### [CVE-2022-23437](https://nvd.nist.gov/vuln/detail/CVE-2022-23437) in xerces-J\n\n- **Severity**: Medium\n- **Type**: [CWE-91](https://cwe.mitre.org/data/definitions/91.html) XML Injection (aka Blind XPath Injection)\n- **Description**: There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.\n- **See also**: https://github.com/advisories/GHSA-h65f-jvqw-m9fj","references":[{"reference_url":"https://github.com/sparklemotion/nokogiri","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri"},{"reference_url":"https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4"},{"reference_url":"https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23437","reference_id":"CVE-2022-23437","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23437"},{"reference_url":"https://github.com/advisories/GHSA-h65f-jvqw-m9fj","reference_id":"GHSA-h65f-jvqw-m9fj","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h65f-jvqw-m9fj"},{"reference_url":"https://github.com/advisories/GHSA-xxx9-3xcr-gjj3","reference_id":"GHSA-xxx9-3xcr-gjj3","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xxx9-3xcr-gjj3"},{"reference_url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xxx9-3xcr-gjj3","reference_id":"GHSA-xxx9-3xcr-gjj3","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xxx9-3xcr-gjj3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/61129?format=json","purl":"pkg:gem/nokogiri@1.13.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5838-r3hp-wke4"},{"vulnerability":"VCID-5g9a-2484-rucp"},{"vulnerability":"VCID-66gp-78uh-aqem"},{"vulnerability":"VCID-67gm-m1up-gfaf"},{"vulnerability":"VCID-chdv-jk6d-uuga"},{"vulnerability":"VCID-d13x-y75t-2ugx"},{"vulnerability":"VCID-e2q6-558r-4kam"},{"vulnerability":"VCID-gvjg-dk1p-2uek"},{"vulnerability":"VCID-ktyd-dgdw-pber"},{"vulnerability":"VCID-mgf4-zdnr-tba4"},{"vulnerability":"VCID-p6m6-7kgc-y3g8"},{"vulnerability":"VCID-pb6j-zdqw-g7cj"},{"vulnerability":"VCID-pr2j-1118-hqaa"},{"vulnerability":"VCID-q3td-7t4g-57ba"},{"vulnerability":"VCID-qa31-1xtw-ybdg"},{"vulnerability":"VCID-u6wn-nety-sbde"},{"vulnerability":"VCID-wnj6-hc4g-ykfs"},{"vulnerability":"VCID-yrjg-2aw9-effx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.4"}],"aliases":["GHSA-xxx9-3xcr-gjj3","GMS-2022-788"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tggj-xch8-jqcv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42878?format=json","vulnerability_id":"VCID-u2yz-dthy-1fdr","summary":"Denial of Service (DoS) in Nokogiri on JRuby\n## Summary\n\nNokogiri `v1.13.4` updates the vendored `org.cyberneko.html` library to `1.9.22.noko2` which addresses [CVE-2022-24839](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv). That CVE is rated 7.5 (High Severity).\n\nSee [GHSA-9849-p7jc-9rmv](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv) for more information.\n\nPlease note that this advisory only applies to the **JRuby** implementation of Nokogiri `< 1.13.4`.\n\n\n## Mitigation\n\nUpgrade to Nokogiri `>= 1.13.4`.\n\n\n## Impact\n\n### [CVE-2022-24839](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv) in nekohtml\n\n- **Severity**: High 7.5\n- **Type**: [CWE-400](https://cwe.mitre.org/data/definitions/400.html) Uncontrolled Resource Consumption\n- **Description**: The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup.\n- **See also**: [GHSA-9849-p7jc-9rmv](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv)","references":[{"reference_url":"https://github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773d","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773d"},{"reference_url":"https://github.com/sparklemotion/nokogiri","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri"},{"reference_url":"https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4"},{"reference_url":"https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ","reference_id":"","reference_type":"","scores":[],"url":"https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ"},{"reference_url":"https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24839","reference_id":"CVE-2022-24839","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24839"},{"reference_url":"https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv","reference_id":"GHSA-9849-p7jc-9rmv","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv"},{"reference_url":"https://github.com/advisories/GHSA-gx8x-g87m-h5q6","reference_id":"GHSA-gx8x-g87m-h5q6","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gx8x-g87m-h5q6"},{"reference_url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-gx8x-g87m-h5q6","reference_id":"GHSA-gx8x-g87m-h5q6","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-gx8x-g87m-h5q6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/61129?format=json","purl":"pkg:gem/nokogiri@1.13.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5838-r3hp-wke4"},{"vulnerability":"VCID-5g9a-2484-rucp"},{"vulnerability":"VCID-66gp-78uh-aqem"},{"vulnerability":"VCID-67gm-m1up-gfaf"},{"vulnerability":"VCID-chdv-jk6d-uuga"},{"vulnerability":"VCID-d13x-y75t-2ugx"},{"vulnerability":"VCID-e2q6-558r-4kam"},{"vulnerability":"VCID-gvjg-dk1p-2uek"},{"vulnerability":"VCID-ktyd-dgdw-pber"},{"vulnerability":"VCID-mgf4-zdnr-tba4"},{"vulnerability":"VCID-p6m6-7kgc-y3g8"},{"vulnerability":"VCID-pb6j-zdqw-g7cj"},{"vulnerability":"VCID-pr2j-1118-hqaa"},{"vulnerability":"VCID-q3td-7t4g-57ba"},{"vulnerability":"VCID-qa31-1xtw-ybdg"},{"vulnerability":"VCID-u6wn-nety-sbde"},{"vulnerability":"VCID-wnj6-hc4g-ykfs"},{"vulnerability":"VCID-yrjg-2aw9-effx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.4"}],"aliases":["GHSA-gx8x-g87m-h5q6","GMS-2022-786"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u2yz-dthy-1fdr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51493?format=json","vulnerability_id":"VCID-u6wn-nety-sbde","summary":"Nokogiri updates packaged libxslt to v1.1.43 to resolve multiple CVEs\n## Summary\n\nNokogiri v1.18.4 upgrades its dependency libxslt to\n[v1.1.43](https://gitlab.gnome.org/GNOME/libxslt/-/releases/v1.1.43).\n\nlibxslt v1.1.43 resolves:\n\n- CVE-2025-24855: Fix use-after-free of XPath context node\n- CVE-2024-55549: Fix UAF related to excluded namespaces\n\n## Impact\n\n### CVE-2025-24855\n\n- \"Use-after-free due to xsltEvalXPathStringNs leaking xpathCtxt->node\"\n- MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H\n- Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/128\n- NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2025-24855\n\n### CVE-2024-55549\n\n- \"Use-after-free related to excluded result prefixes\"\n- MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H\n- Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/127\n- NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2024-55549","references":[{"reference_url":"https://github.com/sparklemotion/nokogiri","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri"},{"reference_url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-mrxw-mxhj-p664","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-mrxw-mxhj-p664"},{"reference_url":"https://gitlab.gnome.org/GNOME/libxslt/-/issues/127","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://gitlab.gnome.org/GNOME/libxslt/-/issues/127"},{"reference_url":"https://gitlab.gnome.org/GNOME/libxslt/-/issues/128","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://gitlab.gnome.org/GNOME/libxslt/-/issues/128"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-55549","reference_id":"CVE-2024-55549","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-55549"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-24855","reference_id":"CVE-2025-24855","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-24855"},{"reference_url":"https://github.com/advisories/GHSA-mrxw-mxhj-p664","reference_id":"GHSA-mrxw-mxhj-p664","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-mrxw-mxhj-p664"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/84408?format=json","purl":"pkg:gem/nokogiri@1.18.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-67gm-m1up-gfaf"},{"vulnerability":"VCID-d13x-y75t-2ugx"},{"vulnerability":"VCID-mgf4-zdnr-tba4"},{"vulnerability":"VCID-pb6j-zdqw-g7cj"},{"vulnerability":"VCID-wnj6-hc4g-ykfs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.18.4"}],"aliases":["GHSA-mrxw-mxhj-p664"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u6wn-nety-sbde"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51490?format=json","vulnerability_id":"VCID-wnj6-hc4g-ykfs","summary":"Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415\n## Summary\n\nNokogiri v1.18.8 upgrades its dependency libxml2 to\n[v2.13.8](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.8).\n\nlibxml2 v2.13.8 addresses:\n\n- CVE-2025-32414\n  - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/889\n- CVE-2025-32415\n  - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/890\n\n## Impact\n\n### CVE-2025-32414: No impact\n\nIn libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds\nmemory access can occur in the Python API (Python bindings) because\nof an incorrect return value. This occurs in xmlPythonFileRead and\nxmlPythonFileReadRaw because of a difference between bytes and characters.\n\n**There is no impact** from this CVE for Nokogiri users.\n\n### CVE-2025-32415: Low impact\n\nIn libxml2 before 2.13.8 and 2.14.x before 2.14.2,\nxmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer\nunder-read. To exploit this, a crafted XML document must be validated\nagainst an XML schema with certain identity constraints, or a\ncrafted XML schema must be used.\n\nIn the upstream issue, further context is provided by the maintainer:\n\n> The bug affects validation against untrusted XML Schemas (.xsd)\n> and validation of untrusted documents against trusted Schemas if\n> they make use of xsd:keyref in combination with recursively\n> defined types that have additional identity constraints.\n\nMITRE has published a severity score of 2.9 LOW\n(CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) for this CVE.","references":[{"reference_url":"https://github.com/sparklemotion/nokogiri","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri"},{"reference_url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-5w6v-399v-w3cc","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-5w6v-399v-w3cc"},{"reference_url":"https://gitlab.gnome.org/GNOME/libxml2/-/issues/889","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://gitlab.gnome.org/GNOME/libxml2/-/issues/889"},{"reference_url":"https://gitlab.gnome.org/GNOME/libxml2/-/issues/890","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://gitlab.gnome.org/GNOME/libxml2/-/issues/890"},{"reference_url":"https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.8","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.8"},{"reference_url":"https://github.com/advisories/GHSA-5w6v-399v-w3cc","reference_id":"GHSA-5w6v-399v-w3cc","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-5w6v-399v-w3cc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/84887?format=json","purl":"pkg:gem/nokogiri@1.18.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-67gm-m1up-gfaf"},{"vulnerability":"VCID-d13x-y75t-2ugx"},{"vulnerability":"VCID-mgf4-zdnr-tba4"},{"vulnerability":"VCID-pb6j-zdqw-g7cj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.18.8"}],"aliases":["GHSA-5w6v-399v-w3cc"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wnj6-hc4g-ykfs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44899?format=json","vulnerability_id":"VCID-yrjg-2aw9-effx","summary":"Nokogiri updates packaged libxml2 to v2.10.4 to resolve multiple CVEs\n### Summary\n\nNokogiri v1.14.3 upgrades the packaged version of its dependency libxml2 to [v2.10.4](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.4) from v2.10.3.\n\nlibxml2 v2.10.4 addresses the following known vulnerabilities:\n\n- [CVE-2023-29469](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29469): Hashing of empty dict strings isn't deterministic\n- [CVE-2023-28484](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28484): Fix null deref in xmlSchemaFixupComplexType\n- Schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK\n\nPlease note that this advisory only applies to the CRuby implementation of Nokogiri `< 1.14.3`, and only if the _packaged_ libraries are being used. If you've overridden defaults at installation time to use _system_ libraries instead of packaged libraries, you should instead pay attention to your distro's `libxml2` release announcements.\n\n\n### Mitigation\n\nUpgrade to Nokogiri `>= 1.14.3`.\n\nUsers who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 `>= 2.10.4` which will also address these same issues.\n\n\n### Impact\n\nNo public information has yet been published about the security-related issues other than the upstream commits. Examination of those changesets indicate that the more serious issues relate to libxml2 dereferencing NULL pointers and potentially segfaulting while parsing untrusted inputs.\n\nThe commits can be examined at:\n\n- [[CVE-2023-29469] Hashing of empty dict strings isn't deterministic (09a2dd45) · Commits · GNOME / libxml2 · GitLab](https://gitlab.gnome.org/GNOME/libxml2/-/commit/09a2dd453007f9c7205274623acdd73747c22d64)\n- [[CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType (647e072e) · Commits · GNOME / libxml2 · GitLab](https://gitlab.gnome.org/GNOME/libxml2/-/commit/647e072ea0a2f12687fa05c172f4c4713fdb0c4f)\n- [schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK (4c6922f7) · Commits · GNOME / libxml2 · GitLab](https://gitlab.gnome.org/GNOME/libxml2/-/commit/4c6922f763ad958c48ff66f82823ae21f2e92ee6)","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28484","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28484"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29469","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29469"},{"reference_url":"https://github.com/sparklemotion/nokogiri","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri"},{"reference_url":"https://gitlab.gnome.org/GNOME/libxml2/-/commit/09a2dd453007f9c7205274623acdd73747c22d64","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://gitlab.gnome.org/GNOME/libxml2/-/commit/09a2dd453007f9c7205274623acdd73747c22d64"},{"reference_url":"https://gitlab.gnome.org/GNOME/libxml2/-/commit/4c6922f763ad958c48ff66f82823ae21f2e92ee6","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://gitlab.gnome.org/GNOME/libxml2/-/commit/4c6922f763ad958c48ff66f82823ae21f2e92ee6"},{"reference_url":"https://gitlab.gnome.org/GNOME/libxml2/-/commit/647e072ea0a2f12687fa05c172f4c4713fdb0c4f","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://gitlab.gnome.org/GNOME/libxml2/-/commit/647e072ea0a2f12687fa05c172f4c4713fdb0c4f"},{"reference_url":"https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.4","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.4"},{"reference_url":"https://github.com/advisories/GHSA-pxvg-2qj5-37jq","reference_id":"GHSA-pxvg-2qj5-37jq","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-pxvg-2qj5-37jq"},{"reference_url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-pxvg-2qj5-37jq","reference_id":"GHSA-pxvg-2qj5-37jq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-pxvg-2qj5-37jq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64578?format=json","purl":"pkg:gem/nokogiri@1.14.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-66gp-78uh-aqem"},{"vulnerability":"VCID-67gm-m1up-gfaf"},{"vulnerability":"VCID-chdv-jk6d-uuga"},{"vulnerability":"VCID-d13x-y75t-2ugx"},{"vulnerability":"VCID-e2q6-558r-4kam"},{"vulnerability":"VCID-gvjg-dk1p-2uek"},{"vulnerability":"VCID-mgf4-zdnr-tba4"},{"vulnerability":"VCID-p6m6-7kgc-y3g8"},{"vulnerability":"VCID-pb6j-zdqw-g7cj"},{"vulnerability":"VCID-q3td-7t4g-57ba"},{"vulnerability":"VCID-u6wn-nety-sbde"},{"vulnerability":"VCID-wnj6-hc4g-ykfs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.14.3"}],"aliases":["GHSA-pxvg-2qj5-37jq","GMS-2023-1115"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yrjg-2aw9-effx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/5005?format=json","vulnerability_id":"VCID-zudy-xe9p-3fgm","summary":"arbitrary code execution","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-25032.json","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-25032.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-25032","reference_id":"","reference_type":"","scores":[{"value":"0.00089","scoring_system":"epss","scoring_elements":"0.25361","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00089","scoring_system":"epss","scoring_elements":"0.25444","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00089","scoring_system":"epss","scoring_elements":"0.25458","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-25032"},{"reference_url":"https://cert-portal.siemens.com/productcert/pdf/ssa-333517.pdf","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/"}],"url":"https://cert-portal.siemens.com/productcert/pdf/ssa-333517.pdf"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25032","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25032"},{"reference_url":"http://seclists.org/fulldisclosure/2022/May/33","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/"}],"url":"http://seclists.org/fulldisclosure/2022/May/33"},{"reference_url":"http://seclists.org/fulldisclosure/2022/May/35","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/"}],"url":"http://seclists.org/fulldisclosure/2022/May/35"},{"reference_url":"http://seclists.org/fulldisclosure/2022/May/38","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/"}],"url":"http://seclists.org/fulldisclosure/2022/May/38"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/"}],"url":"https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531"},{"reference_url":"https://github.com/madler/zlib/compare/v1.2.11...v1.2.12","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/"}],"url":"https://github.com/madler/zlib/compare/v1.2.11...v1.2.12"},{"reference_url":"https://github.com/madler/zlib/issues/605","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/"}],"url":"https://github.com/madler/zlib/issues/605"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00008.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00008.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/"},{"reference_url":"https://security.gentoo.org/glsa/202210-42","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/"}],"url":"https://security.gentoo.org/glsa/202210-42"},{"reference_url":"https://security.netapp.com/advisory/ntap-20220526-0009","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20220526-0009"},{"reference_url":"https://security.netapp.com/advisory/ntap-20220526-0009/","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/"}],"url":"https://security.netapp.com/advisory/ntap-20220526-0009/"},{"reference_url":"https://security.netapp.com/advisory/ntap-20220729-0004","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20220729-0004"},{"reference_url":"https://security.netapp.com/advisory/ntap-20220729-0004/","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/"}],"url":"https://security.netapp.com/advisory/ntap-20220729-0004/"},{"reference_url":"https://support.apple.com/kb/HT213255","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/"}],"url":"https://support.apple.com/kb/HT213255"},{"reference_url":"https://support.apple.com/kb/HT213256","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/"}],"url":"https://support.apple.com/kb/HT213256"},{"reference_url":"https://support.apple.com/kb/HT213257","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/"}],"url":"https://support.apple.com/kb/HT213257"},{"reference_url":"https://www.debian.org/security/2022/dsa-5111","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/"}],"url":"https://www.debian.org/security/2022/dsa-5111"},{"reference_url":"https://www.openwall.com/lists/oss-security/2022/03/24/1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/"}],"url":"https://www.openwall.com/lists/oss-security/2022/03/24/1"},{"reference_url":"https://www.openwall.com/lists/oss-security/2022/03/28/1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/"}],"url":"https://www.openwall.com/lists/oss-security/2022/03/28/1"},{"reference_url":"https://www.openwall.com/lists/oss-security/2022/03/28/3","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/"}],"url":"https://www.openwall.com/lists/oss-security/2022/03/28/3"},{"reference_url":"https://www.oracle.com/security-alerts/cpujul2022.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/"}],"url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"reference_url":"http://www.openwall.com/lists/oss-security/2022/03/25/2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/"}],"url":"http://www.openwall.com/lists/oss-security/2022/03/25/2"},{"reference_url":"http://www.openwall.com/lists/oss-security/2022/03/26/1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/"}],"url":"http://www.openwall.com/lists/oss-security/2022/03/26/1"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008265","reference_id":"1008265","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008265"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2067945","reference_id":"2067945","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2067945"},{"reference_url":"https://security.archlinux.org/ASA-202204-3","reference_id":"ASA-202204-3","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202204-3"},{"reference_url":"https://security.archlinux.org/AVG-2657","reference_id":"AVG-2657","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2657"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-25032","reference_id":"CVE-2018-25032","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-25032"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2018-25032.yml","reference_id":"CVE-2018-25032.YML","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2018-25032.yml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF/","reference_id":"DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB/","reference_id":"DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB/"},{"reference_url":"https://github.com/advisories/GHSA-jc36-42cf-vqwj","reference_id":"GHSA-jc36-42cf-vqwj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jc36-42cf-vqwj"},{"reference_url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5","reference_id":"GHSA-v6gp-9mmm-c6p5","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5"},{"reference_url":"https://security.gentoo.org/glsa/202405-22","reference_id":"GLSA-202405-22","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202405-22"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4/","reference_id":"JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/","reference_id":"NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:1591","reference_id":"RHSA-2022:1591","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:1591"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:1642","reference_id":"RHSA-2022:1642","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:1642"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:1661","reference_id":"RHSA-2022:1661","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:1661"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:2192","reference_id":"RHSA-2022:2192","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:2192"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:2197","reference_id":"RHSA-2022:2197","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:2197"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:2198","reference_id":"RHSA-2022:2198","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:2198"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:2201","reference_id":"RHSA-2022:2201","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:2201"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:2213","reference_id":"RHSA-2022:2213","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:2213"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:2214","reference_id":"RHSA-2022:2214","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:2214"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:4584","reference_id":"RHSA-2022:4584","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:4584"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:4592","reference_id":"RHSA-2022:4592","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:4592"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:4845","reference_id":"RHSA-2022:4845","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:4845"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:4896","reference_id":"RHSA-2022:4896","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:4896"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:5439","reference_id":"RHSA-2022:5439","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:5439"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:7144","reference_id":"RHSA-2022:7144","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:7144"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:7813","reference_id":"RHSA-2022:7813","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:7813"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:8420","reference_id":"RHSA-2022:8420","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:8420"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:0943","reference_id":"RHSA-2023:0943","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:0943"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:0975","reference_id":"RHSA-2023:0975","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:0975"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:0976","reference_id":"RHSA-2023:0976","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:0976"},{"reference_url":"https://usn.ubuntu.com/5355-1/","reference_id":"USN-5355-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5355-1/"},{"reference_url":"https://usn.ubuntu.com/5355-2/","reference_id":"USN-5355-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5355-2/"},{"reference_url":"https://usn.ubuntu.com/5359-1/","reference_id":"USN-5359-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5359-1/"},{"reference_url":"https://usn.ubuntu.com/5359-2/","reference_id":"USN-5359-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5359-2/"},{"reference_url":"https://usn.ubuntu.com/5739-1/","reference_id":"USN-5739-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5739-1/"},{"reference_url":"https://usn.ubuntu.com/6736-1/","reference_id":"USN-6736-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6736-1/"},{"reference_url":"https://usn.ubuntu.com/6736-2/","reference_id":"USN-6736-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6736-2/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/","reference_id":"VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/","reference_id":"XOKFMSNQ5D5WGMALBNBXU3GE442V74WU","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:30:25Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/61129?format=json","purl":"pkg:gem/nokogiri@1.13.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5838-r3hp-wke4"},{"vulnerability":"VCID-5g9a-2484-rucp"},{"vulnerability":"VCID-66gp-78uh-aqem"},{"vulnerability":"VCID-67gm-m1up-gfaf"},{"vulnerability":"VCID-chdv-jk6d-uuga"},{"vulnerability":"VCID-d13x-y75t-2ugx"},{"vulnerability":"VCID-e2q6-558r-4kam"},{"vulnerability":"VCID-gvjg-dk1p-2uek"},{"vulnerability":"VCID-ktyd-dgdw-pber"},{"vulnerability":"VCID-mgf4-zdnr-tba4"},{"vulnerability":"VCID-p6m6-7kgc-y3g8"},{"vulnerability":"VCID-pb6j-zdqw-g7cj"},{"vulnerability":"VCID-pr2j-1118-hqaa"},{"vulnerability":"VCID-q3td-7t4g-57ba"},{"vulnerability":"VCID-qa31-1xtw-ybdg"},{"vulnerability":"VCID-u6wn-nety-sbde"},{"vulnerability":"VCID-wnj6-hc4g-ykfs"},{"vulnerability":"VCID-yrjg-2aw9-effx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.13.4"}],"aliases":["CVE-2018-25032","GHSA-jc36-42cf-vqwj"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zudy-xe9p-3fgm"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/5276?format=json","vulnerability_id":"VCID-u9gg-kzf2-9qap","summary":"xml external entity injection","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-41098.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-41098.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41098","reference_id":"","reference_type":"","scores":[{"value":"0.00251","scoring_system":"epss","scoring_elements":"0.48663","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00251","scoring_system":"epss","scoring_elements":"0.48672","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00251","scoring_system":"epss","scoring_elements":"0.486","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41098"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2021-41098.yml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2021-41098.yml"},{"reference_url":"https://github.com/sparklemotion/nokogiri","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri"},{"reference_url":"https://github.com/sparklemotion/nokogiri/commit/5bf729ff3cc84709ee3c3248c981584088bf9f6d","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/commit/5bf729ff3cc84709ee3c3248c981584088bf9f6d"},{"reference_url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2008914","reference_id":"2008914","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2008914"},{"reference_url":"https://security.archlinux.org/AVG-2424","reference_id":"AVG-2424","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2424"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41098","reference_id":"CVE-2021-41098","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41098"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/59149?format=json","purl":"pkg:gem/nokogiri@1.12.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5838-r3hp-wke4"},{"vulnerability":"VCID-5g9a-2484-rucp"},{"vulnerability":"VCID-66gp-78uh-aqem"},{"vulnerability":"VCID-67gm-m1up-gfaf"},{"vulnerability":"VCID-74wj-a72v-s3gk"},{"vulnerability":"VCID-aef6-wkbr-1kfb"},{"vulnerability":"VCID-bgcq-x9bd-83ap"},{"vulnerability":"VCID-chdv-jk6d-uuga"},{"vulnerability":"VCID-d13x-y75t-2ugx"},{"vulnerability":"VCID-e2q6-558r-4kam"},{"vulnerability":"VCID-gvjg-dk1p-2uek"},{"vulnerability":"VCID-ktyd-dgdw-pber"},{"vulnerability":"VCID-mgf4-zdnr-tba4"},{"vulnerability":"VCID-p6m6-7kgc-y3g8"},{"vulnerability":"VCID-pb6j-zdqw-g7cj"},{"vulnerability":"VCID-pr2j-1118-hqaa"},{"vulnerability":"VCID-q3td-7t4g-57ba"},{"vulnerability":"VCID-qa31-1xtw-ybdg"},{"vulnerability":"VCID-qkq6-n1ds-x7e5"},{"vulnerability":"VCID-tggj-xch8-jqcv"},{"vulnerability":"VCID-u2yz-dthy-1fdr"},{"vulnerability":"VCID-u6wn-nety-sbde"},{"vulnerability":"VCID-wnj6-hc4g-ykfs"},{"vulnerability":"VCID-yrjg-2aw9-effx"},{"vulnerability":"VCID-zudy-xe9p-3fgm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.12.5"}],"aliases":["CVE-2021-41098","GHSA-2rr5-8q37-2w7h"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u9gg-kzf2-9qap"}],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/nokogiri@1.12.5"}