Search for packages
| purl | pkg:gem/nokogiri@1.6.3.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-19rw-91aw-xyb9
Aliases: GMS-2015-52 |
Vulnerabilities in libxml2 The vendored version of libxml2 is affected by multiple vulnerabilities. |
Affected by 46 other vulnerabilities. |
|
VCID-1tg8-f975-q3b9
Aliases: CVE-2022-40304 |
An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked. |
Affected by 11 other vulnerabilities. |
|
VCID-3fah-6hhr-pbdw
Aliases: CVE-2016-4658 GHSA-fr52-4hqw-p27f |
Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Nokogiri version 1.7.1 has been released, pulling in several upstream patches to the vendored libxml2 to address the following CVEs: CVE-2016-4658 CVSS v3 Base Score: 9.8 (Critical) libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document. CVE-2016-5131 CVSS v3 Base Score: 8.8 (HIGH) Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. |
Affected by 43 other vulnerabilities. |
|
VCID-3kn4-5bk5-7bht
Aliases: CVE-2020-7595 GHSA-7553-jr98-vx47 |
libxml2 2.9.10 has an infinite loop in a certain end-of-file situation Nokogiri has backported the patch for CVE-2020-7595 into its vendored version of libxml2, and released this as v1.10.8 CVE-2020-7595 has not yet been addressed in an upstream libxml2 release, and so Nokogiri versions <= v1.10.7 are vulnerable. |
Affected by 29 other vulnerabilities. |
|
VCID-426k-ced5-jbhk
Aliases: CVE-2017-5029 GHSA-pf6m-fxpq-fg8v |
Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29 nokogiri version 1.7.2 has been released. This is a security update based on 1.7.1, addressing two upstream libxslt 1.1.29 vulnerabilities classified as "Medium" by Canonical and given a CVSS3 score of "6.5 Medium" and "8.8 High" by RedHat. These patches only apply when using Nokogiri's vendored libxslt package. If you're using your distro's system libraries, there's no need to upgrade from 1.7.0.1 or 1.7.1 at this time. Full details are available at the github issue linked to in the changelog below. ----- # 1.7.2 / 2017-05-09 ## Security Notes [MRI] Upstream libxslt patches are applied to the vendored libxslt 1.1.29 which address CVE-2017-5029 and CVE-2016-4738. For more information: * https://github.com/sparklemotion/nokogiri/issues/1634 * http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5029.html * http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4738.html |
Affected by 43 other vulnerabilities. Affected by 42 other vulnerabilities. |
|
VCID-68me-whtg-cybp
Aliases: CVE-2022-24839 GHSA-9849-p7jc-9rmv GHSA-gx8x-g87m-h5q6 GMS-2022-786 |
Denial of Service (DoS) in Nokogiri on JRuby ## Summary Nokogiri `v1.13.4` updates the vendored `org.cyberneko.html` library to `1.9.22.noko2` which addresses [CVE-2022-24839](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv). That CVE is rated 7.5 (High Severity). See [GHSA-9849-p7jc-9rmv](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv) for more information. Please note that this advisory only applies to the **JRuby** implementation of Nokogiri `< 1.13.4`. ## Mitigation Upgrade to Nokogiri `>= 1.13.4`. ## Impact ### [CVE-2022-24839](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv) in nekohtml - **Severity**: High 7.5 - **Type**: [CWE-400](https://cwe.mitre.org/data/definitions/400.html) Uncontrolled Resource Consumption - **Description**: The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup. - **See also**: [GHSA-9849-p7jc-9rmv](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv) |
Affected by 15 other vulnerabilities. |
|
VCID-7c35-78dy-a7cy
Aliases: CVE-2019-11068 GHSA-qxcg-xjjg-66mj |
Nokogiri gem, via libxslt, is affected by improper access control vulnerability Nokogiri v1.10.3 has been released. This is a security release. It addresses a CVE in upstream libxslt rated as "Priority: medium" by Canonical, and "NVD Severity: high" by Debian. More details are available below. If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to upgrade at this time, though you may want to check with your distro whether they've patched this (Canonical has patched Ubuntu packages). Note that this patch is not yet (as of 2019-04-22) in an upstream release of libxslt. Full details about the security update are available in Github Issue [#1892] https://github.com/sparklemotion/nokogiri/issues/1892. --- CVE-2019-11068 Permalinks are: - Canonical: https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11068 - Debian: https://security-tracker.debian.org/tracker/CVE-2019-11068 Description: > libxslt through 1.1.33 allows bypass of a protection mechanism > because callers of xsltCheckRead and xsltCheckWrite permit access > even upon receiving a -1 error code. xsltCheckRead can return -1 for > a crafted URL that is not actually invalid and is subsequently > loaded. Canonical rates this as "Priority: Medium". Debian rates this as "NVD Severity: High (attack range: remote)". |
Affected by 35 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-7f9b-5urr-3kgt
Aliases: GHSA-cgx6-hpwq-fhv5 GMS-2022-1438 |
Integer Overflow or Wraparound in libxml2 affects Nokogiri ### Summary Nokogiri v1.13.5 upgrades the packaged version of its dependency libxml2 from v2.9.13 to [v2.9.14](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.9.14). libxml2 v2.9.14 addresses [CVE-2022-29824](https://nvd.nist.gov/vuln/detail/CVE-2022-29824). This version also includes several security-related bug fixes for which CVEs were not created, including a potential double-free, potential memory leaks, and integer-overflow. Please note that this advisory only applies to the CRuby implementation of Nokogiri `< 1.13.5`, and only if the _packaged_ libraries are being used. If you've overridden defaults at installation time to use _system_ libraries instead of packaged libraries, you should instead pay attention to your distro's `libxml2` and `libxslt` release announcements. ### Mitigation Upgrade to Nokogiri `>= 1.13.5`. Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 `>= 2.9.14` which will also address these same issues. ### Impact #### libxml2 [CVE-2022-29824](https://nvd.nist.gov/vuln/detail/CVE-2022-29824) - **CVSS3 score**: - Unspecified upstream - Nokogiri maintainers evaluate at 8.6 (High) ([CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H)). Note that this is different from the CVSS assessed by NVD. - **Type**: Denial of service, information disclosure - **Description**: In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well. - **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/-/commit/2554a24 All versions of libml2 prior to v2.9.14 are affected. Applications parsing or serializing multi-gigabyte documents (in excess of INT_MAX bytes) may be vulnerable to an integer overflow bug in buffer handling that could lead to exposure of confidential data, modification of unrelated data, or a segmentation fault resulting in a denial-of-service. ### References - [libxml2 v2.9.14 release notes](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.9.14) - [CVE-2022-29824](https://nvd.nist.gov/vuln/detail/CVE-2022-29824) - [CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer](https://cwe.mitre.org/data/definitions/119.html) |
Affected by 14 other vulnerabilities. |
|
VCID-7tpt-22cm-uufe
Aliases: GHSA-7rrm-v45f-jp64 GMS-2021-171 |
Update packaged dependency libxml2 from 2.9.10 to 2.9.12 ### Summary Nokogiri v1.11.4 updates the vendored libxml2 from v2.9.10 to v2.9.12 which addresses: - [CVE-2019-20388](https://security.archlinux.org/CVE-2019-20388) (Medium severity) - [CVE-2020-24977](https://security.archlinux.org/CVE-2020-24977) (Medium severity) - [CVE-2021-3517](https://security.archlinux.org/CVE-2021-3517) (Medium severity) - [CVE-2021-3518](https://security.archlinux.org/CVE-2021-3518) (Medium severity) - [CVE-2021-3537](https://security.archlinux.org/CVE-2021-3537) (Low severity) - [CVE-2021-3541](https://security.archlinux.org/CVE-2021-3541) (Low severity) Note that two additional CVEs were addressed upstream but are not relevant to this release. [CVE-2021-3516](https://security.archlinux.org/CVE-2021-3516) via `xmllint` is not present in Nokogiri, and [CVE-2020-7595](https://security.archlinux.org/CVE-2020-7595) has been patched in Nokogiri since v1.10.8 (see #1992). Please note that this advisory only applies to the CRuby implementation of Nokogiri `< 1.11.4`, and only if the packaged version of libxml2 is being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's `libxml2` release announcements. ### Mitigation Upgrade to Nokogiri `>= 1.11.4`. ### Impact I've done a brief analysis of the published CVEs that are addressed in this upstream release. The libxml2 maintainers have not released a canonical set of CVEs, and so this list is pieced together from secondary sources and may be incomplete. All information below is sourced from [security.archlinux.org](https://security.archlinux.org), which appears to have the most up-to-date information as of this analysis. #### [CVE-2019-20388](https://security.archlinux.org/CVE-2019-20388) - **Severity**: Medium - **Type**: Denial of service - **Description**: A memory leak was found in the xmlSchemaValidateStream function of libxml2. Applications that use this library may be vulnerable to memory not being freed leading to a denial of service. - **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/commit/7ffcd44d7e6c46704f8af0321d9314cd26e0e18a Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4. #### [CVE-2020-7595](https://security.archlinux.org/CVE-2020-7595) - **Severity**: Medium - **Type**: Denial of service - **Description**: xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. - **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c8907645d2e155f0d89d4d9895ac5112b5 This has been patched in Nokogiri since v1.10.8 (see #1992). #### [CVE-2020-24977](https://security.archlinux.org/CVE-2020-24977) - **Severity**: Medium - **Type**: Information disclosure - **Description**: GNOME project libxml2 <= 2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. - **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2 Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4. #### [CVE-2021-3516](https://security.archlinux.org/CVE-2021-3516) - **Severity**: Medium - **Type**: Arbitrary code execution (no remote vector) - **Description**: A use-after-free security issue was found libxml2 before version 2.9.11 when "xmllint --html --push" is used to process crafted files. - **Issue**: https://gitlab.gnome.org/GNOME/libxml2/-/issues/230 - **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9fac0b539 Verified that the fix commit first appears in v2.9.11. This vector does not exist within Nokogiri, which does not ship `xmllint`. #### [CVE-2021-3517](https://security.archlinux.org/CVE-2021-3517) - **Severity**: Medium - **Type**: Arbitrary code execution - **Description**: A heap-based buffer overflow was found in libxml2 before version 2.9.11 when processing truncated UTF-8 input. - **Issue**: https://gitlab.gnome.org/GNOME/libxml2/-/issues/235 - **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2 Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4. #### [CVE-2021-3518](https://security.archlinux.org/CVE-2021-3518) - **Severity**: Medium - **Type**: Arbitrary code execution - **Description**: A use-after-free security issue was found in libxml2 before version 2.9.11 in xmlXIncludeDoProcess() in xinclude.c when processing crafted files. - **Issue**: https://gitlab.gnome.org/GNOME/libxml2/-/issues/237 - **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1098c30a040e72a4654968547f415be4e4c40fe7 Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4. #### [CVE-2021-3537](https://security.archlinux.org/CVE-2021-3537) - **Severity**: Low - **Type**: Denial of service - **Description**: It was found that libxml2 before version 2.9.11 did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. - **Issue**: https://gitlab.gnome.org/GNOME/libxml2/-/issues/243 - **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/-/commit/babe75030c7f64a37826bb3342317134568bef61 Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4. #### [CVE-2021-3541](https://security.archlinux.org/CVE-2021-3541) - **Severity**: Low - **Type**: Denial of service - **Description**: A security issue was found in libxml2 before version 2.9.11. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service. - **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4, however Nokogiri's default parse options prevent the attack from succeeding (it is necessary to opt into `DTDLOAD` which is off by default). For more details supporting this analysis of this CVE, please visit #2233. |
Affected by 22 other vulnerabilities. |
|
VCID-8rfn-pfa6-ruct
Aliases: GHSA-r95h-9x8f-r3f7 |
Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459 ## Summary Nokogiri v1.16.5 upgrades its dependency libxml2 to [2.12.7](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7) from 2.12.6. libxml2 v2.12.7 addresses CVE-2024-34459: - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/720 - patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac53 ## Impact There is no impact to Nokogiri users because the issue is present only in libxml2's `xmllint` tool which Nokogiri does not provide or expose. ## Timeline - 2024-05-13 05:57 EDT, libxml2 2.12.7 release is announced - 2024-05-13 08:30 EDT, nokogiri maintainers begin triage - 2024-05-13 10:05 EDT, nokogiri [v1.16.5 is released](https://github.com/sparklemotion/nokogiri/releases/tag/v1.16.5) and this GHSA made public |
Affected by 5 other vulnerabilities. |
|
VCID-96gv-ug8n-juhb
Aliases: CVE-2022-23437 GHSA-h65f-jvqw-m9fj GHSA-xxx9-3xcr-gjj3 GMS-2022-788 |
XML Injection in Xerces Java affects Nokogiri ## Summary Nokogiri v1.13.4 updates the vendored `xerces:xercesImpl` from 2.12.0 to 2.12.2, which addresses [CVE-2022-23437](https://nvd.nist.gov/vuln/detail/CVE-2022-23437). That CVE is scored as CVSS 6.5 "Medium" on the NVD record. Please note that this advisory only applies to the **JRuby** implementation of Nokogiri `< 1.13.4`. ## Mitigation Upgrade to Nokogiri `>= v1.13.4`. ## Impact ### [CVE-2022-23437](https://nvd.nist.gov/vuln/detail/CVE-2022-23437) in xerces-J - **Severity**: Medium - **Type**: [CWE-91](https://cwe.mitre.org/data/definitions/91.html) XML Injection (aka Blind XPath Injection) - **Description**: There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions. - **See also**: https://github.com/advisories/GHSA-h65f-jvqw-m9fj |
Affected by 15 other vulnerabilities. |
|
VCID-an1m-3ay2-wffk
Aliases: GHSA-vvfq-8hwr-qm4m |
Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171 ## Summary Nokogiri v1.18.3 upgrades its dependency libxml2 to [v2.13.6](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.6). libxml2 v2.13.6 addresses: - CVE-2025-24928 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847 - CVE-2024-56171 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828 ## Impact ### CVE-2025-24928 Stack-buffer overflow is possible when reporting DTD validation errors if the input contains a long (~3kb) QName prefix. ### CVE-2024-56171 Use-after-free is possible during validation against untrusted XML Schemas (.xsd) and, potentially, validation of untrusted documents against trusted Schemas if they make use of `xsd:keyref` in combination with recursively defined types that have additional identity constraints. |
Affected by 3 other vulnerabilities. |
|
VCID-b2ap-r3uw-hbea
Aliases: CVE-2021-41098 GHSA-2rr5-8q37-2w7h |
Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby ### Severity The Nokogiri maintainers have evaluated this as [**High Severity** 7.5 (CVSS3.0)](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C/MAV:N/MAC:L) for JRuby users. (This security advisory does not apply to CRuby users.) ### Impact In Nokogiri v1.12.4 and earlier, **on JRuby only**, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: - Nokogiri::XML::SAX::Parser - Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser - Nokogiri::XML::SAX::PushParser - Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser ### Mitigation JRuby users should upgrade to Nokogiri v1.12.5 or later. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected. |
Affected by 21 other vulnerabilities. |
|
VCID-b7e6-kts2-7yhq
Aliases: CVE-2021-3518 GHSA-v4f8-2847-rwm7 |
Nokogiri Implements libxml2 version vulnerable to use-after-free There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability. |
Affected by 22 other vulnerabilities. |
|
VCID-b7k6-crmu-3bfa
Aliases: GHSA-mrxw-mxhj-p664 |
Nokogiri updates packaged libxslt to v1.1.43 to resolve multiple CVEs ## Summary Nokogiri v1.18.4 upgrades its dependency libxslt to [v1.1.43](https://gitlab.gnome.org/GNOME/libxslt/-/releases/v1.1.43). libxslt v1.1.43 resolves: - CVE-2025-24855: Fix use-after-free of XPath context node - CVE-2024-55549: Fix UAF related to excluded namespaces ## Impact ### CVE-2025-24855 - "Use-after-free due to xsltEvalXPathStringNs leaking xpathCtxt->node" - MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H - Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/128 - NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2025-24855 ### CVE-2024-55549 - "Use-after-free related to excluded result prefixes" - MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H - Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/127 - NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2024-55549 |
Affected by 2 other vulnerabilities. |
|
VCID-bgyq-xs6a-yfae
Aliases: GHSA-pxvg-2qj5-37jq GMS-2023-1115 |
Update packaged libxml2 to v2.10.4 to resolve multiple CVEs ### Summary Nokogiri v1.14.3 upgrades the packaged version of its dependency libxml2 to [v2.10.4](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.4) from v2.10.3. libxml2 v2.10.4 addresses the following known vulnerabilities: - [CVE-2023-29469](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29469): Hashing of empty dict strings isn't deterministic - [CVE-2023-28484](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28484): Fix null deref in xmlSchemaFixupComplexType - Schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK Please note that this advisory only applies to the CRuby implementation of Nokogiri `< 1.14.3`, and only if the _packaged_ libraries are being used. If you've overridden defaults at installation time to use _system_ libraries instead of packaged libraries, you should instead pay attention to your distro's `libxml2` release announcements. ### Mitigation Upgrade to Nokogiri `>= 1.14.3`. Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 `>= 2.10.4` which will also address these same issues. ### Impact No public information has yet been published about the security-related issues other than the upstream commits. Examination of those changesets indicate that the more serious issues relate to libxml2 dereferencing NULL pointers and potentially segfaulting while parsing untrusted inputs. The commits can be examined at: - [\[CVE-2023-29469\] Hashing of empty dict strings isn't deterministic (09a2dd45)](https://gitlab.gnome.org/GNOME/libxml2/-/commit/09a2dd453007f9c7205274623acdd73747c22d64) - [\[CVE-2023-28484\] Fix null deref in xmlSchemaFixupComplexType (647e072e)](https://gitlab.gnome.org/GNOME/libxml2/-/commit/647e072ea0a2f12687fa05c172f4c4713fdb0c4f) - [schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK (4c6922f7)](https://gitlab.gnome.org/GNOME/libxml2/-/commit/4c6922f763ad958c48ff66f82823ae21f2e92ee6) |
Affected by 9 other vulnerabilities. |
|
VCID-bpwu-gpw3-qkcp
Aliases: CVE-2018-14404 GHSA-6qvp-r6r3-9p7h |
Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Nokogiri 1.8.5 has been released. This is a security and bugfix release. It addresses two CVEs in upstream libxml2 rated as "medium" by Red Hat, for which details are below. If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to upgrade at this time, though you may want to check with your distro whether they've patched this (Canonical has patched Ubuntu packages). Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2. Full details about the security update are available in Github Issue #1785. [#1785]: https://github.com/sparklemotion/nokogiri/issues/1785 ----- [MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404 and CVE-2018-14567. Full details are available in #1785. Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2. ----- CVE-2018-14404 Permalink: https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14404.html Description: A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application Canonical rates this vulnerability as "Priority: Medium" ----- CVE-2018-14567 Permalink: https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14567.html Description: infinite loop in LZMA decompression Canonical rates this vulnerability as "Priority: Medium" |
Affected by 36 other vulnerabilities. |
|
VCID-cbav-vay5-xbb5
Aliases: GHSA-r3w4-36x6-7r99 |
Duplicate Advisory: Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459 ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-r95h-9x8f-r3f7. This link is maintained to preserve external references. ## Original Description ## Summary Nokogiri v1.16.5 upgrades its dependency libxml2 to [2.12.7](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7) from 2.12.6. libxml2 v2.12.7 addresses CVE-2024-34459: - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/720 - patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac53 ## Impact There is no impact to Nokogiri users because the issue is present only in libxml2's `xmllint` tool which Nokogiri does not provide or expose. ## Timeline - 2024-05-13 05:57 EDT, libxml2 2.12.7 release is announced - 2024-05-13 08:30 EDT, nokogiri maintainers begin triage - 2024-05-13 10:05 EDT, nokogiri [v1.16.5 is released](https://github.com/sparklemotion/nokogiri/releases/tag/v1.16.5) and this GHSA made public |
Affected by 5 other vulnerabilities. |
|
VCID-d5u9-vp6q-nkbw
Aliases: GMS-2015-43 |
Unsafe parsing of unclosed comments Parsing an unclosed comment can result in `Conditional jump or move depends on uninitialised value(s)` and unsafe memory access. |
Affected by 48 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
VCID-em2y-g1ch-8kbg
Aliases: GHSA-5w6v-399v-w3cc |
Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415 ## Summary Nokogiri v1.18.8 upgrades its dependency libxml2 to [v2.13.8](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.8). libxml2 v2.13.8 addresses: - CVE-2025-32414 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/889 - CVE-2025-32415 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/890 ## Impact ### CVE-2025-32414: No impact In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters. **There is no impact** from this CVE for Nokogiri users. ### CVE-2025-32415: Low impact In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used. In the upstream issue, further context is provided by the maintainer: > The bug affects validation against untrusted XML Schemas (.xsd) > and validation of untrusted documents against trusted Schemas if > they make use of xsd:keyref in combination with recursively > defined types that have additional identity constraints. MITRE has published a severity score of 2.9 LOW (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) for this CVE. |
Affected by 1 other vulnerability. |
|
VCID-f5ku-zjud-g3gw
Aliases: CVE-2020-26247 GHSA-vr8q-g5c7-m54m |
Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability ### Description In Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by `Nokogiri::XML::Schema` are **trusted** by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as **untrusted** by default whenever possible. Please note that this security fix was pushed into a new minor version, 1.11.x, rather than a patch release to the 1.10.x branch, because it is a breaking change for some schemas and the risk was assessed to be "Low Severity". ### Affected Versions Nokogiri `<= 1.10.10` as well as prereleases `1.11.0.rc1`, `1.11.0.rc2`, and `1.11.0.rc3` ### Mitigation There are no known workarounds for affected versions. Upgrade to Nokogiri `1.11.0.rc4` or later. If, after upgrading to `1.11.0.rc4` or later, you wish to re-enable network access for resolution of external resources (i.e., return to the previous behavior): 1. Ensure the input is trusted. Do not enable this option for untrusted input. 2. When invoking the `Nokogiri::XML::Schema` constructor, pass as the second parameter an instance of `Nokogiri::XML::ParseOptions` with the `NONET` flag turned off. So if your previous code was: ``` ruby # in v1.11.0.rc3 and earlier, this call allows resources to be accessed over the network # but in v1.11.0.rc4 and later, this call will disallow network access for external resources schema = Nokogiri::XML::Schema.new(schema) # in v1.11.0.rc4 and later, the following is equivalent to the code above # (the second parameter is optional, and this demonstrates its default value) schema = Nokogiri::XML::Schema.new(schema, Nokogiri::XML::ParseOptions::DEFAULT_SCHEMA) ``` Then you can add the second parameter to indicate that the input is trusted by changing it to: ``` ruby # in v1.11.0.rc3 and earlier, this would raise an ArgumentError # but in v1.11.0.rc4 and later, this allows resources to be accessed over the network schema = Nokogiri::XML::Schema.new(trusted_schema, Nokogiri::XML::ParseOptions.new.nononet) ``` |
Affected by 27 other vulnerabilities. |
|
VCID-fbqa-27jk-rbcb
Aliases: GHSA-5mwf-688x-mr7x |
Duplicate Advisory: Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171 # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-vvfq-8hwr-qm4m. This link is maintained to preserve external references. # Original Description ## Summary Nokogiri v1.18.3 upgrades its dependency libxml2 to [v2.13.6](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.6). libxml2 v2.13.6 addresses: - CVE-2025-24928 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847 - CVE-2024-56171 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828 ## Impact ### CVE-2025-24928 Stack-buffer overflow is possible when reporting DTD validation errors if the input contains a long (~3kb) QName prefix. ### CVE-2024-56171 Use-after-free is possible during validation against untrusted XML Schemas (.xsd) and, potentially, validation of untrusted documents against trusted Schemas if they make use of `xsd:keyref` in combination with recursively defined types that have additional identity constraints. |
Affected by 3 other vulnerabilities. |
|
VCID-fqch-vvhz-xyb2
Aliases: GHSA-vcc3-rw6f-jv97 |
Duplicate Advisory: Use-after-free in libxml2 via Nokogiri::XML::Reader # Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xc9x-jj77-9p9j. This link is maintained to preserve external references. # Original Description ### Summary Nokogiri upgrades its dependency libxml2 as follows: - v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6 - v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4 libxml2 v2.11.7 and v2.12.5 address the following vulnerability: CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604 - patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970 Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements. JRuby users are not affected. ### Severity The Nokogiri maintainers have evaluated this as **Moderate**. ### Impact From the CVE description, this issue applies to the `xmlTextReader` module (which underlies `Nokogiri::XML::Reader`): > When using the XML Reader interface with DTD validation and XInclude expansion enabled, > processing crafted XML documents can lead to an xmlValidatePopElement use-after-free. ### Mitigation Upgrade to Nokogiri `~> 1.15.6` or `>= 1.16.2`. Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against patched external libxml2 libraries which will also address these same issues. |
Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-ftr9-5h71-z3et
Aliases: CVE-2021-3537 GHSA-286v-pcf5-25rc |
Nokogiri Implements libxml2 version vulnerable to null pointer dereferencing A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability. |
Affected by 22 other vulnerabilities. |
|
VCID-h12s-4b71-ekev
Aliases: CVE-2015-5312 GHSA-xjqg-9jvg-fgx2 |
Nokogiri gem contains several vulnerabilities in libxml2 Nokogiri version 1.6.7.1 has been released, pulling in several upstream patches to the vendored libxml2 to address the following CVEs: CVE-2015-5312 CVSS v2 Base Score: 7.1 (HIGH) The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660. CVE-2015-7497 CVSS v2 Base Score: 5.0 (MEDIUM) Heap-based buffer overflow in the xmlDictComputeFastQKey function in dict.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors. CVE-2015-7498 CVSS v2 Base Score: 5.0 (MEDIUM) Heap-based buffer overflow in the xmlParseXmlDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors related to extracting errors after an encoding conversion failure. CVE-2015-7499 CVSS v2 Base Score: 5.0 (MEDIUM) Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors. CVE-2015-7500 CVSS v2 Base Score: 5.0 (MEDIUM) The xmlParseMisc function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (out-of-bounds heap read) via unspecified vectors related to incorrect entities boundaries and start tags. CVE-2015-8241 CVSS v2 Base Score: 6.4 (MEDIUM) The xmlNextChar function in libxml2 2.9.2 does not properly check the state, which allows context-dependent attackers to cause a denial of service (heap-based buffer over-read and application crash) or obtain sensitive information via crafted XML data. CVE-2015-8242 CVSS v2 Base Score: 5.8 (MEDIUM) The xmlSAX2TextNode function in SAX2.c in the push interface in the HTML parser in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (stack-based buffer over-read and application crash) or obtain sensitive information via crafted XML data. CVE-2015-8317 CVSS v2 Base Score: 5.0 (MEDIUM) The xmlParseXMLDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive information via an (1) unterminated encoding value or (2) incomplete XML declaration in XML data, which triggers an out-of-bounds heap read. |
Affected by 46 other vulnerabilities. |
|
VCID-h58b-23z1-xkdz
Aliases: CVE-2022-24836 GHSA-crjr-9rc5-ghw8 |
Inefficient Regular Expression Complexity in Nokogiri ## Summary Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. ## Mitigation Upgrade to Nokogiri `>= 1.13.4`. |
Affected by 15 other vulnerabilities. |
|
VCID-mtzw-nkcm-wfcn
Aliases: CVE-2018-25032 GHSA-jc36-42cf-vqwj GHSA-v6gp-9mmm-c6p5 GMS-2022-787 |
Out-of-bounds Write in zlib affects Nokogiri ## Summary Nokogiri v1.13.4 updates the vendored zlib from 1.2.11 to 1.2.12, which addresses [CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032). That CVE is scored as CVSS 7.4 "High" on the NVD record as of 2022-04-05. Please note that this advisory only applies to the CRuby implementation of Nokogiri `< 1.13.4`, and only if the packaged version of `zlib` is being used. Please see [this document](https://nokogiri.org/LICENSE-DEPENDENCIES.html#default-platform-release-ruby) for a complete description of which platform gems vendor `zlib`. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's `zlib` release announcements. ## Mitigation Upgrade to Nokogiri `>= v1.13.4`. ## Impact ### [CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032) in zlib - **Severity**: High - **Type**: [CWE-787](https://cwe.mitre.org/data/definitions/787.html) Out of bounds write - **Description**: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. |
Affected by 15 other vulnerabilities. |
|
VCID-muvh-8zw6-tbbn
Aliases: CVE-2015-1819 GHSA-q7wx-62r7-j2x7 |
Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Several vulnerabilities were discovered in the libxml2 and libxslt libraries that the Nokogiri gem depends on. CVE-2015-1819 A denial of service flaw was found in the way libxml2 parsed XML documents. This flaw could cause an application that uses libxml2 to use an excessive amount of memory. CVE-2015-7941 libxml2 does not properly stop parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and libxml2 crash) via crafted specially XML data. CVE-2015-7942 The xmlParseConditionalSections function in parser.c in libxml2 does not properly skip intermediary entities when it stops parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted XML data. CVE-2015-7995 The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 does not check whether the parent node is an element, which allows attackers to cause a denial of service using a specially crafted XML document. CVE-2015-8035 The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data. Another vulnerability was discoverd in libxml2 that could cause parsing of unclosed comments to result in "conditional jump or move depends on uninitialized value(s)" and unsafe memory access. This issue does not have a CVE assigned yet. See related URLs for details. Patched in v1.6.7.rc4. |
Affected by 48 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
VCID-mx2v-pgx9-w3cp
Aliases: CVE-2022-40303 |
An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault. |
Affected by 11 other vulnerabilities. |
|
VCID-n13q-cuhb-27g2
Aliases: CVE-2015-8806 GHSA-7hp2-xwpj-95jq |
Denial of service or RCE from libxml2 and libxslt Nokogiri is affected by series of vulnerabilities in libxml2 and libxslt, which are libraries Nokogiri depends on. It was discovered that libxml2 and libxslt incorrectly handled certain malformed documents, which can allow malicious users to cause issues ranging from denial of service to remote code execution attacks. For more information, the Ubuntu Security Notice is a good start: http://www.ubuntu.com/usn/usn-2994-1/ |
Affected by 44 other vulnerabilities. |
|
VCID-n4jq-m1j3-1uh8
Aliases: USN-3424-1 |
Vulnerabilities in libxml2 The version of libxml2 packaged with Nokogiri contains several vulnerabilities. Nokogiri has mitigated these issues by upgrading to libxml It was discovered that a type confusion error existed in libxml2. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-0663) It was discovered that libxml2 did not properly validate parsed entity references. An attacker could use this to specially construct XML data that could expose sensitive information. (CVE-2017-7375) It was discovered that a buffer overflow existed in libxml2 when handling HTTP redirects. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-7376) Marcel Böhme and Van-Thuan Pham discovered a buffer overflow in libxml2 when handling elements. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-9047) Marcel Böhme and Van-Thuan Pham discovered a buffer overread in libxml2 when handling elements. An attacker could use this to specially construct XML data that could cause a denial of service. (CVE-2017-9048) Marcel Böhme and Van-Thuan Pham discovered multiple buffer overreads in libxml2 when handling parameter-entity references. An attacker could use these to specially construct XML data that could cause a denial of service. (CVE-2017-9049, CVE-2017-9050) |
Affected by 40 other vulnerabilities. |
|
VCID-npr9-4epg-hbc8
Aliases: CVE-2019-13118 GHSA-cf46-6xxh-pc75 |
libxslt Type Confusion vulnerability that affects Nokogiri In `numbers.c` in libxslt 1.1.33, a type holding grouping characters of an `xsl:number` instruction was too narrow and an invalid character/length combination could be passed to `xsltNumberFormatDecimal`, leading to a read of uninitialized stack data. Nokogiri prior to version 1.10.5 used a vulnerable version of libxslt. Nokogiri 1.10.5 updated libxslt to version 1.1.34 to address this and other vulnerabilities in libxslt. |
Affected by 30 other vulnerabilities. |
|
VCID-nt8x-sgpg-ffh3
Aliases: CVE-2018-8048 GHSA-x7rv-cr6v-4vm4 |
Revert libxml2 behavior in Nokogiri gem that could cause XSS [MRI] Behavior in libxml2 has been reverted which caused CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is here: https://github.com/GNOME/libxml2/commit/960f0e2 and more information is available about this commit and its impact here: https://github.com/flavorjones/loofah/issues/144 This release simply reverts the libxml2 commit in question to protect users of Nokogiri's vendored libraries from similar vulnerabilities. If you're offended by what happened here, I'd kindly ask that you comment on the upstream bug report here: https://bugzilla.gnome.org/show_bug.cgi?id=769760 |
Affected by 37 other vulnerabilities. |
|
VCID-qcfr-u9jt-1fex
Aliases: CVE-2017-16932 GHSA-x2fm-93ww-ggvx |
Nokogiri gem, via libxml, is affected by DoS vulnerabilities The version of libxml2 packaged with Nokogiri contains a vulnerability. Nokogiri has mitigated these issue by upgrading to libxml 2.9.5. Wei Lei discovered that libxml2 incorrecty handled certain parameter entities. An attacker could use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service. |
Affected by 40 other vulnerabilities. |
|
VCID-qyqp-kns2-t3h6
Aliases: CVE-2019-5815 GHSA-vmfx-gcfq-wvm2 |
Nokogiri implementation of libxslt vulnerable to heap corruption Type confusion in `xsltNumberFormatGetMultipleLevel` prior to libxslt 1.1.33 could allow attackers to potentially exploit heap corruption via crafted XML data. Nokogiri prior to version 1.10.5 contains a vulnerable version of libxslt. Nokogiri version 1.10.5 upgrades the dependency to libxslt 1.1.34, which contains a patch for this issue. |
Affected by 32 other vulnerabilities. Affected by 30 other vulnerabilities. |
|
VCID-qzdv-5fc6-vbea
Aliases: CVE-2015-7499 GHSA-jxjr-5h69-qw3w |
Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2 Nokogiri version 1.6.7.2 has been released, pulling in several upstream patches to the vendored libxml2 to address the following CVE: CVE-2015-7499 CVSS v2 Base Score: 5.0 (MEDIUM) Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors. libxml2 could be made to crash if it opened a specially crafted file. It was discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause libxml2 to crash, resulting in a denial of service. |
Affected by 45 other vulnerabilities. Affected by 46 other vulnerabilities. |
|
VCID-rcuu-68e3-1bgq
Aliases: CVE-2021-30560 GHSA-59gp-qqm7-cw4j GHSA-fq42-c5rg-92c2 GMS-2022-163 |
Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35) ## Summary Nokogiri v1.13.2 upgrades two of its packaged dependencies: * vendored libxml2 from v2.9.12 to v2.9.13 * vendored libxslt from v1.1.34 to v1.1.35 Those library versions address the following upstream CVEs: * libxslt: CVE-2021-30560 (CVSS 8.8, High severity) * libxml2: CVE-2022-23308 (Unspecified severity, see more information below) Those library versions also address numerous other issues including performance improvements, regression fixes, and bug fixes, as well as memory leaks and other use-after-free issues that were not assigned CVEs. Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.2, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's `libxml2` and `libxslt` release announcements. ## Mitigation Upgrade to Nokogiri >= 1.13.2. Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link an older version Nokogiri against external libraries libxml2 >= 2.9.13 and libxslt >= 1.1.35, which will also address these same CVEs. ## Impact * libxslt CVE-2021-30560 * CVSS3 score: 8.8 (High) Fixed by https://gitlab.gnome.org/GNOME/libxslt/-/commit/50f9c9c All versions of libxslt prior to v1.1.35 are affected. Applications using untrusted XSL stylesheets to transform XML are vulnerable to a denial-of-service attack and should be upgraded immediately. libxml2 CVE-2022-23308 * As of the time this security advisory was published, there is no officially published information available about this CVE's severity. The above NIST link does not yet have a published record, and the libxml2 maintainer has declined to provide a severity score. * Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12 * Further explanation is at https://mail.gnome.org/archives/xml/2022-February/msg00015.html The upstream commit and the explanation linked above indicate that an application may be vulnerable to a denial of service, memory disclosure, or code execution if it parses an untrusted document with parse options `DTDVALID` set to true, and `NOENT` set to false. An analysis of these parse options: * While `NOENT` is off by default for Document, DocumentFragment, Reader, and Schema parsing, it is on by default for XSLT (stylesheet) parsing in Nokogiri v1.12.0 and later. * `DTDVALID` is an option that Nokogiri does not set for any operations, and so this CVE applies only to applications setting this option explicitly. It seems reasonable to assume that any application explicitly setting the parse option `DTDVALID` when parsing untrusted documents is vulnerable and should be upgraded immediately. |
Affected by 19 other vulnerabilities. |
|
VCID-refb-dn2k-b7cq
Aliases: GHSA-xc9x-jj77-9p9j GMS-2024-127 |
Use-after-free in libxml2 via Nokogiri::XML::Reader ### Summary Nokogiri upgrades its dependency libxml2 as follows: - v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6 - v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4 libxml2 v2.11.7 and v2.12.5 address the following vulnerability: CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604 - patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970 Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements. JRuby users are not affected. ### Severity The Nokogiri maintainers have evaluated this as **Moderate**. ### Impact From the CVE description, this issue applies to the `xmlTextReader` module (which underlies `Nokogiri::XML::Reader`): > When using the XML Reader interface with DTD validation and XInclude expansion enabled, > processing crafted XML documents can lead to an xmlValidatePopElement use-after-free. ### Mitigation Upgrade to Nokogiri `~> 1.15.6` or `>= 1.16.2`. Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against patched external libxml2 libraries which will also address these same issues. |
Affected by 7 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-t2s3-2ehw-zkfu
Aliases: CVE-2021-3517 GHSA-jw9f-hh49-cvp9 |
Nokogiri contains libxml Out-of-bounds Write vulnerability There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application. Nokogiri prior to version 1.11.4 used a vulnerable version of libxml2. Nokogiri 1.11.4 updated libxml2 to version 2.9.11 to address this and other vulnerabilities in libxml2. |
Affected by 22 other vulnerabilities. |
|
VCID-ud6a-dg4y-xygw
Aliases: GHSA-353f-x4gh-cqq8 |
Nokogiri patches vendored libxml2 to resolve multiple CVEs ## Summary Nokogiri v1.18.9 patches the vendored libxml2 to address CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795, and CVE-2025-49796. ## Impact and severity ### CVE-2025-6021 A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input. NVD claims a severity of 7.5 High (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/17d950ae ### CVE-2025-6170 A flaw was found in the interactive shell of the xmllint command-line tool, used for parsing XML files. When a user inputs an overly long command, the program does not check the input size properly, which can cause it to crash. This issue might allow attackers to run harmful code in rare configurations without modern protections. NVD claims a severity of 2.5 Low (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L) Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/5e9ec5c1 ### CVE-2025-49794 A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors. NVD claims a severity of 9.1 Critical (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5 ### CVE-2025-49795 A NULL pointer dereference vulnerability was found in libxml2 when processing XPath XML expressions. This flaw allows an attacker to craft a malicious XML input to libxml2, leading to a denial of service. NVD claims a severity of 7.5 High (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/62048278 ### CVE-2025-49796 A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory. NVD claims a severity of 9.1 Critical (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5 ## Affected Versions - Nokogiri < 1.18.9 when using CRuby (MRI) with vendored libxml2 ## Patched Versions - Nokogiri >= 1.18.9 ## Mitigation Upgrade to Nokogiri v1.18.9 or later. Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against patched external libxml2 libraries which will also address these same issues. |
Affected by 0 other vulnerabilities. |
|
VCID-unad-wpdw-jufv
Aliases: CVE-2022-29181 GHSA-xh29-r2w5-wx8m |
Improper Handling of Unexpected Data Type in Nokogiri ### Summary Nokogiri `< v1.13.6` does not type-check all inputs into the XML and HTML4 SAX parsers. For CRuby users, this may allow specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. ### Severity The Nokogiri maintainers have evaluated this as **High 8.2** (CVSS3.1). ### Mitigation CRuby users should upgrade to Nokogiri `>= 1.13.6`. JRuby users are not affected. ### Workarounds To avoid this vulnerability in affected applications, ensure the untrusted input is a `String` by calling `#to_s` or equivalent. |
Affected by 13 other vulnerabilities. |
|
VCID-upj8-wt85-tufp
Aliases: CVE-2017-15412 GHSA-r58r-74gx-6wx3 |
Nokogiri gem, via libxml, is affected by DoS vulnerabilities The version of libxml2 packaged with Nokogiri contains a vulnerability. Nokogiri has mitigated these issue by upgrading to libxml 2.9.6. It was discovered that libxml2 incorrecty handled certain files. An attacker could use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service. |
Affected by 38 other vulnerabilities. |
|
VCID-w2vx-75ad-cqc4
Aliases: CVE-2020-24977 |
GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in commit 50f06b3e. |
Affected by 22 other vulnerabilities. |
|
VCID-wnhp-p6kc-cuhj
Aliases: GMS-2015-42 |
Multiple vulnerabilities in libxml2, libxslt The vendored libxml2 and libxslt libraries have multiple vulnerabilities: CVE-2015-1819 CVE-2015-7941_1 CVE-2015-7941_2 CVE-2015-7942 CVE-2015-7942-2 CVE-2015-8035 CVE-2015-7995 |
Affected by 50 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
VCID-x155-eq3w-nkb4
Aliases: GHSA-2qc6-mcvw-92cw GMS-2022-5550 |
Update bundled libxml2 to v2.10.3 to resolve multiple CVEs ### Summary Nokogiri v1.13.9 upgrades the packaged version of its dependency libxml2 to [v2.10.3](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.3) from v2.9.14. libxml2 v2.10.3 addresses the following known vulnerabilities: - [CVE-2022-2309](https://nvd.nist.gov/vuln/detail/CVE-2022-2309) - [CVE-2022-40304](https://nvd.nist.gov/vuln/detail/CVE-2022-40304) - [CVE-2022-40303](https://nvd.nist.gov/vuln/detail/CVE-2022-40303) Please note that this advisory only applies to the CRuby implementation of Nokogiri `< 1.13.9`, and only if the _packaged_ libraries are being used. If you've overridden defaults at installation time to use _system_ libraries instead of packaged libraries, you should instead pay attention to your distro's `libxml2` release announcements. ### Mitigation Upgrade to Nokogiri `>= 1.13.9`. Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 `>= 2.10.3` which will also address these same issues. ### Impact #### libxml2 [CVE-2022-2309](https://nvd.nist.gov/vuln/detail/CVE-2022-2309) - **CVSS3 score**: Under evaluation - **Type**: Denial of service - **Description**: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. Nokogiri maintainers investigated at #2620 and determined this CVE does not affect Nokogiri users. #### libxml2 [CVE-2022-40304](https://nvd.nist.gov/vuln/detail/CVE-2022-40304) - **CVSS3 score**: Unspecified upstream - **Type**: Data corruption, denial of service - **Description**: When an entity reference cycle is detected, the entity content is cleared by setting its first byte to zero. But the entity content might be allocated from a dict. In this case, the dict entry becomes corrupted leading to all kinds of logic errors, including memory errors like double-frees. See https://gitlab.gnome.org/GNOME/libxml2/-/commit/644a89e080bced793295f61f18aac8cfad6bece2 #### libxml2 [CVE-2022-40303](https://nvd.nist.gov/vuln/detail/CVE-2022-40303) - **CVSS3 score**: Unspecified upstream - **Type**: Integer overflow - **Description**: Integer overflows with XML_PARSE_HUGE See https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0 |
Affected by 11 other vulnerabilities. |
|
VCID-y36w-m9px-c7c7
Aliases: CVE-2017-18258 GHSA-882p-jqgm-f45g |
Moderate severity vulnerability that affects nokogiri The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file. References: - https://nvd.nist.gov/vuln/detail/CVE-2017-18258 - https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb - https://github.com/advisories/GHSA-882p-jqgm-f45g - https://kc.mcafee.com/corporate/index?page=content&id=SB10284 - https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html - https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html - https://security.netapp.com/advisory/ntap-20190719-0001/ - https://usn.ubuntu.com/3739-1/ |
Affected by 38 other vulnerabilities. |
|
VCID-yjtd-j2xx-73hm
Aliases: CVE-2019-13117 GHSA-4hm9-844j-jmxp |
Nokogiri gem, via libxslt, is affected by multiple vulnerabilities Nokogiri v1.10.5 has been released. This is a security release. It addresses three CVEs in upstream libxml2, for which details are below. If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to upgrade at this time, though you may want to check with your distro whether they've patched this (Canonical has patched Ubuntu packages). Note that libxslt 1.1.34 addresses these vulnerabilities. Full details about the security update are available in Github Issue [#1943] https://github.com/sparklemotion/nokogiri/issues/1943. --- CVE-2019-13117 https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13117.html Priority: Low Description: In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character. Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1 --- CVE-2019-13118 https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13118.html Priority: Low Description: In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b --- CVE-2019-18197 https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18197.html Priority: Medium Description: In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed. Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285 |
Affected by 30 other vulnerabilities. |
|
VCID-ypxg-52f8-gqe9
Aliases: CVE-2022-23308 |
valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes. |
Affected by 19 other vulnerabilities. |
|
VCID-z6qn-rugu-97eb
Aliases: CVE-2021-3541 |
A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service. |
Affected by 22 other vulnerabilities. |
|
VCID-zghx-r86h-s7ef
Aliases: CVE-2019-18197 GHSA-242x-7cm6-4w8j |
Nokogiri affected by libxslt Use of Uninitialized Resource/ Use After Free vulnerability In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed. Nokogiri prior to version 1.10.5 contains a vulnerable version of libxslt. Nokogiri version 1.10.5 upgrades the dependency to libxslt 1.1.34, which contains a patch for this issue. |
Affected by 30 other vulnerabilities. |
|
VCID-zn3c-murn-p3hr
Aliases: CVE-2019-5477 GHSA-cr5j-953j-xw5p |
Rexical Command Injection Vulnerability A command injection vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. It allows commands to be executed in a subprocess by Ruby's `Kernel.open` method. |
Affected by 32 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||