Search for packages
| purl | pkg:gem/nokogiri@1.11.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-29mt-tpku-aaab
Aliases: CVE-2021-3517 GHSA-jw9f-hh49-cvp9 |
There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application. | There are no reported fixed by versions. |
|
VCID-2c4c-yyw7-aaas
Aliases: CVE-2021-30560 GHSA-59gp-qqm7-cw4j |
Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
Affected by 25 other vulnerabilities. |
|
VCID-2fyr-85vm-aaak
Aliases: CVE-2023-45322 |
** DISPUTED ** libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is "I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail." | There are no reported fixed by versions. |
|
VCID-3q3t-625m-aaak
Aliases: CVE-2023-28484 |
NULL Pointer Dereference In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c. |
Affected by 10 other vulnerabilities. |
|
VCID-3x6j-ugme-aaas
Aliases: GHSA-xc9x-jj77-9p9j GMS-2024-127 |
Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062 |
Affected by 7 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-4j3k-2xfx-aaaj
Aliases: GHSA-v6gp-9mmm-c6p5 GMS-2022-787 |
Out-of-bounds Write in zlib affects Nokogiri |
Affected by 19 other vulnerabilities. |
|
VCID-5g2v-sxrc-aaaf
Aliases: CVE-2022-24836 GHSA-crjr-9rc5-ghw8 |
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for this issue. |
Affected by 19 other vulnerabilities. |
|
VCID-7yj5-4vjb-aaar
Aliases: CVE-2021-41098 GHSA-2rr5-8q37-2w7h |
Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby |
Affected by 27 other vulnerabilities. |
|
VCID-7ytf-hshe-aaaa
Aliases: GHSA-r95h-9x8f-r3f7 |
Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459 |
Affected by 4 other vulnerabilities. |
|
VCID-adp7-tpp1-8qbn
Aliases: GHSA-vvfq-8hwr-qm4m |
Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171 ## Summary Nokogiri v1.18.3 upgrades its dependency libxml2 to [v2.13.6](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.6). libxml2 v2.13.6 addresses: - CVE-2025-24928 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847 - CVE-2024-56171 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828 ## Impact ### CVE-2025-24928 Stack-buffer overflow is possible when reporting DTD validation errors if the input contains a long (~3kb) QName prefix. ### CVE-2024-56171 Use-after-free is possible during validation against untrusted XML Schemas (.xsd) and, potentially, validation of untrusted documents against trusted Schemas if they make use of `xsd:keyref` in combination with recursively defined types that have additional identity constraints. |
Affected by 2 other vulnerabilities. |
|
VCID-b8ge-qb4s-aaad
Aliases: CVE-2022-40304 |
An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked. |
Affected by 15 other vulnerabilities. |
|
VCID-duvb-k7ce-aaar
Aliases: CVE-2022-29181 GHSA-xh29-r2w5-wx8m |
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a `String` by calling `#to_s` or equivalent. |
Affected by 17 other vulnerabilities. |
|
VCID-dwdk-kk6d-43b2
Aliases: GHSA-5w6v-399v-w3cc |
Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415 |
Affected by 0 other vulnerabilities. |
|
VCID-ejvv-2b2c-aaan
Aliases: GHSA-pxvg-2qj5-37jq GMS-2023-1115 |
Nokogiri updates packaged libxml2 to v2.10.4 to resolve multiple CVEs |
Affected by 10 other vulnerabilities. |
|
VCID-fke8-gpzm-aaad
Aliases: CVE-2022-40303 |
An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault. |
Affected by 15 other vulnerabilities. |
|
VCID-n1r2-jqwt-jucp
Aliases: GHSA-5mwf-688x-mr7x |
Duplicate Advisory: Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171 Nokogiri v1.18.3 upgrades its dependency libxml2 to [v2.13.6](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.6). libxml2 v2.13.6 addresses: - CVE-2025-24928 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847 - CVE-2024-56171 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828 |
Affected by 2 other vulnerabilities. |
|
VCID-n3rk-tdn9-aaaa
Aliases: CVE-2022-23308 |
valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes. |
Affected by 25 other vulnerabilities. |
|
VCID-psj6-phjv-a7bb
Aliases: GHSA-mrxw-mxhj-p664 |
Nokogiri updates packaged libxslt to v1.1.43 to resolve multiple CVEs ## Summary Nokogiri v1.18.4 upgrades its dependency libxslt to [v1.1.43](https://gitlab.gnome.org/GNOME/libxslt/-/releases/v1.1.43). libxslt v1.1.43 resolves: - CVE-2025-24855: Fix use-after-free of XPath context node - CVE-2024-55549: Fix UAF related to excluded namespaces ## Impact ### CVE-2025-24855 - "Use-after-free due to xsltEvalXPathStringNs leaking xpathCtxt->node" - MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H - Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/128 - NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2025-24855 ### CVE-2024-55549 - "Use-after-free related to excluded result prefixes" - MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H - Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/127 - NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2024-55549 |
Affected by 1 other vulnerability. |
|
VCID-rc6j-z37r-aaaq
Aliases: GHSA-r3w4-36x6-7r99 |
Duplicate Advisory: Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459 |
Affected by 4 other vulnerabilities. |
|
VCID-rfmt-xmc2-aaan
Aliases: GHSA-xxx9-3xcr-gjj3 GMS-2022-788 |
XML Injection in Xerces Java affects Nokogiri |
Affected by 19 other vulnerabilities. |
|
VCID-scun-vfj2-aaaq
Aliases: GHSA-gx8x-g87m-h5q6 GMS-2022-786 |
Denial of Service (DoS) in Nokogiri on JRuby |
Affected by 19 other vulnerabilities. |
|
VCID-tu3y-7d5y-aaap
Aliases: GHSA-2qc6-mcvw-92cw GMS-2022-5550 |
Update bundled libxml2 to v2.10.3 to resolve multiple CVEs |
Affected by 15 other vulnerabilities. |
|
VCID-tvba-4tuf-aaam
Aliases: GHSA-cgx6-hpwq-fhv5 GMS-2022-1438 |
Integer Overflow or Wraparound in libxml2 affects Nokogiri |
Affected by 18 other vulnerabilities. |
|
VCID-u9nd-yvuf-aaas
Aliases: GHSA-vcc3-rw6f-jv97 |
Use-after-free in libxml2 via Nokogiri::XML::Reader |
Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-us2h-627w-aaab
Aliases: CVE-2022-23476 GHSA-qv4q-mr5r-qprj |
Unchecked return value from xmlTextReaderExpand |
Affected by 12 other vulnerabilities. |
|
VCID-v5mj-f96s-aaas
Aliases: CVE-2018-25032 GHSA-jc36-42cf-vqwj |
Affected by 19 other vulnerabilities. |
|
|
VCID-vekd-aqst-aaas
Aliases: CVE-2017-15412 GHSA-r58r-74gx-6wx3 |
Use After Free Use after free in libxml2, as used in Google Chrome and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
Affected by 0 other vulnerabilities. |
|
VCID-wcpw-96g6-aaah
Aliases: GHSA-fq42-c5rg-92c2 GMS-2022-163 |
Vulnerable dependencies in Nokogiri |
Affected by 25 other vulnerabilities. |
|
VCID-wdr9-vsu9-aaap
Aliases: CVE-2021-3518 GHSA-v4f8-2847-rwm7 |
There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability. | There are no reported fixed by versions. |
|
VCID-wunb-embq-aaaq
Aliases: CVE-2023-29469 |
Double Free An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\0' value). |
Affected by 10 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-29mt-tpku-aaab | There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application. |
CVE-2021-3517
GHSA-jw9f-hh49-cvp9 |
| VCID-gn1q-6cht-aaap | A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability. |
CVE-2021-3537
GHSA-286v-pcf5-25rc |
| VCID-rg4z-at9n-aaaa | GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in commit 50f06b3e. |
CVE-2020-24977
|
| VCID-sdba-sgwc-aaaj | A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service. |
CVE-2021-3541
|
| VCID-wdr9-vsu9-aaap | There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability. |
CVE-2021-3518
GHSA-v4f8-2847-rwm7 |
| VCID-zdpk-yrsb-aaag | Update packaged dependency libxml2 from 2.9.10 to 2.9.12 |
GHSA-7rrm-v45f-jp64
GMS-2021-171 |