Search for packages
| purl | pkg:gem/nokogiri@1.11.6 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2c4c-yyw7-aaas
Aliases: CVE-2021-30560 GHSA-59gp-qqm7-cw4j |
Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
Affected by 25 other vulnerabilities. |
|
VCID-2fyr-85vm-aaak
Aliases: CVE-2023-45322 |
** DISPUTED ** libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is "I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail." | There are no reported fixed by versions. |
|
VCID-3q3t-625m-aaak
Aliases: CVE-2023-28484 |
NULL Pointer Dereference In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c. |
Affected by 10 other vulnerabilities. |
|
VCID-3x6j-ugme-aaas
Aliases: GHSA-xc9x-jj77-9p9j GMS-2024-127 |
Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062 |
Affected by 7 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-4j3k-2xfx-aaaj
Aliases: GHSA-v6gp-9mmm-c6p5 GMS-2022-787 |
Out-of-bounds Write in zlib affects Nokogiri |
Affected by 19 other vulnerabilities. |
|
VCID-5g2v-sxrc-aaaf
Aliases: CVE-2022-24836 GHSA-crjr-9rc5-ghw8 |
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for this issue. |
Affected by 19 other vulnerabilities. |
|
VCID-7yj5-4vjb-aaar
Aliases: CVE-2021-41098 GHSA-2rr5-8q37-2w7h |
Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby |
Affected by 27 other vulnerabilities. |
|
VCID-7ytf-hshe-aaaa
Aliases: GHSA-r95h-9x8f-r3f7 |
Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459 |
Affected by 4 other vulnerabilities. |
|
VCID-adp7-tpp1-8qbn
Aliases: GHSA-vvfq-8hwr-qm4m |
Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171 ## Summary Nokogiri v1.18.3 upgrades its dependency libxml2 to [v2.13.6](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.6). libxml2 v2.13.6 addresses: - CVE-2025-24928 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847 - CVE-2024-56171 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828 ## Impact ### CVE-2025-24928 Stack-buffer overflow is possible when reporting DTD validation errors if the input contains a long (~3kb) QName prefix. ### CVE-2024-56171 Use-after-free is possible during validation against untrusted XML Schemas (.xsd) and, potentially, validation of untrusted documents against trusted Schemas if they make use of `xsd:keyref` in combination with recursively defined types that have additional identity constraints. |
Affected by 2 other vulnerabilities. |
|
VCID-b8ge-qb4s-aaad
Aliases: CVE-2022-40304 |
An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked. |
Affected by 15 other vulnerabilities. |
|
VCID-duvb-k7ce-aaar
Aliases: CVE-2022-29181 GHSA-xh29-r2w5-wx8m |
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a `String` by calling `#to_s` or equivalent. |
Affected by 17 other vulnerabilities. |
|
VCID-dwdk-kk6d-43b2
Aliases: GHSA-5w6v-399v-w3cc |
Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415 |
Affected by 0 other vulnerabilities. |
|
VCID-ejvv-2b2c-aaan
Aliases: GHSA-pxvg-2qj5-37jq GMS-2023-1115 |
Nokogiri updates packaged libxml2 to v2.10.4 to resolve multiple CVEs |
Affected by 10 other vulnerabilities. |
|
VCID-fke8-gpzm-aaad
Aliases: CVE-2022-40303 |
An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault. |
Affected by 15 other vulnerabilities. |
|
VCID-n1r2-jqwt-jucp
Aliases: GHSA-5mwf-688x-mr7x |
Duplicate Advisory: Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171 Nokogiri v1.18.3 upgrades its dependency libxml2 to [v2.13.6](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.6). libxml2 v2.13.6 addresses: - CVE-2025-24928 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847 - CVE-2024-56171 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828 |
Affected by 2 other vulnerabilities. |
|
VCID-n3rk-tdn9-aaaa
Aliases: CVE-2022-23308 |
valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes. |
Affected by 25 other vulnerabilities. |
|
VCID-psj6-phjv-a7bb
Aliases: GHSA-mrxw-mxhj-p664 |
Nokogiri updates packaged libxslt to v1.1.43 to resolve multiple CVEs ## Summary Nokogiri v1.18.4 upgrades its dependency libxslt to [v1.1.43](https://gitlab.gnome.org/GNOME/libxslt/-/releases/v1.1.43). libxslt v1.1.43 resolves: - CVE-2025-24855: Fix use-after-free of XPath context node - CVE-2024-55549: Fix UAF related to excluded namespaces ## Impact ### CVE-2025-24855 - "Use-after-free due to xsltEvalXPathStringNs leaking xpathCtxt->node" - MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H - Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/128 - NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2025-24855 ### CVE-2024-55549 - "Use-after-free related to excluded result prefixes" - MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H - Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/127 - NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2024-55549 |
Affected by 1 other vulnerability. |
|
VCID-rc6j-z37r-aaaq
Aliases: GHSA-r3w4-36x6-7r99 |
Duplicate Advisory: Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459 |
Affected by 4 other vulnerabilities. |
|
VCID-rfmt-xmc2-aaan
Aliases: GHSA-xxx9-3xcr-gjj3 GMS-2022-788 |
XML Injection in Xerces Java affects Nokogiri |
Affected by 19 other vulnerabilities. |
|
VCID-scun-vfj2-aaaq
Aliases: GHSA-gx8x-g87m-h5q6 GMS-2022-786 |
Denial of Service (DoS) in Nokogiri on JRuby |
Affected by 19 other vulnerabilities. |
|
VCID-tu3y-7d5y-aaap
Aliases: GHSA-2qc6-mcvw-92cw GMS-2022-5550 |
Update bundled libxml2 to v2.10.3 to resolve multiple CVEs |
Affected by 15 other vulnerabilities. |
|
VCID-tvba-4tuf-aaam
Aliases: GHSA-cgx6-hpwq-fhv5 GMS-2022-1438 |
Integer Overflow or Wraparound in libxml2 affects Nokogiri |
Affected by 18 other vulnerabilities. |
|
VCID-u9nd-yvuf-aaas
Aliases: GHSA-vcc3-rw6f-jv97 |
Use-after-free in libxml2 via Nokogiri::XML::Reader |
Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-us2h-627w-aaab
Aliases: CVE-2022-23476 GHSA-qv4q-mr5r-qprj |
Unchecked return value from xmlTextReaderExpand |
Affected by 12 other vulnerabilities. |
|
VCID-v5mj-f96s-aaas
Aliases: CVE-2018-25032 GHSA-jc36-42cf-vqwj |
Affected by 19 other vulnerabilities. |
|
|
VCID-vekd-aqst-aaas
Aliases: CVE-2017-15412 GHSA-r58r-74gx-6wx3 |
Use After Free Use after free in libxml2, as used in Google Chrome and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
Affected by 0 other vulnerabilities. |
|
VCID-wcpw-96g6-aaah
Aliases: GHSA-fq42-c5rg-92c2 GMS-2022-163 |
Vulnerable dependencies in Nokogiri |
Affected by 25 other vulnerabilities. |
|
VCID-wunb-embq-aaaq
Aliases: CVE-2023-29469 |
Double Free An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\0' value). |
Affected by 10 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||