Search for packages
| purl | pkg:gem/nokogiri@1.7.0.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1bg3-82zf-aaaj
Aliases: USN-3424-1 |
Vulnerabilities in libxml2 The version of libxml2 packaged with Nokogiri contains several vulnerabilities. Nokogiri has mitigated these issues by upgrading to libxml It was discovered that a type confusion error existed in libxml2. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-0663) It was discovered that libxml2 did not properly validate parsed entity references. An attacker could use this to specially construct XML data that could expose sensitive information. (CVE-2017-7375) It was discovered that a buffer overflow existed in libxml2 when handling HTTP redirects. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-7376) Marcel Böhme and Van-Thuan Pham discovered a buffer overflow in libxml2 when handling elements. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-9047) Marcel Böhme and Van-Thuan Pham discovered a buffer overread in libxml2 when handling elements. An attacker could use this to specially construct XML data that could cause a denial of service. (CVE-2017-9048) Marcel Böhme and Van-Thuan Pham discovered multiple buffer overreads in libxml2 when handling parameter-entity references. An attacker could use these to specially construct XML data that could cause a denial of service. (CVE-2017-9049, CVE-2017-9050) |
Affected by 45 other vulnerabilities. |
|
VCID-1px9-q7g4-aaan
Aliases: CVE-2019-11068 GHSA-qxcg-xjjg-66mj |
libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded. |
Affected by 41 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-29mt-tpku-aaab
Aliases: CVE-2021-3517 GHSA-jw9f-hh49-cvp9 |
There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application. |
Affected by 30 other vulnerabilities. |
|
VCID-2c4c-yyw7-aaas
Aliases: CVE-2021-30560 GHSA-59gp-qqm7-cw4j |
Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
Affected by 25 other vulnerabilities. |
|
VCID-2em3-ugp2-aaag
Aliases: CVE-2019-13117 GHSA-4hm9-844j-jmxp |
In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character. |
Affected by 36 other vulnerabilities. |
|
VCID-2fyr-85vm-aaak
Aliases: CVE-2023-45322 |
** DISPUTED ** libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is "I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail." | There are no reported fixed by versions. |
|
VCID-38rq-d4wx-aaaj
Aliases: CVE-2019-5477 GHSA-cr5j-953j-xw5p |
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4. |
Affected by 39 other vulnerabilities. |
|
VCID-3q3t-625m-aaak
Aliases: CVE-2023-28484 |
NULL Pointer Dereference In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c. |
Affected by 10 other vulnerabilities. |
|
VCID-3x6j-ugme-aaas
Aliases: GHSA-xc9x-jj77-9p9j GMS-2024-127 |
Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062 |
Affected by 7 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-4j3k-2xfx-aaaj
Aliases: GHSA-v6gp-9mmm-c6p5 GMS-2022-787 |
Out-of-bounds Write in zlib affects Nokogiri |
Affected by 19 other vulnerabilities. |
|
VCID-4kts-b8nu-aaad
Aliases: CVE-2017-9050 GHSA-8c56-cpmw-89x7 |
Out-of-bounds read in nokogiri |
Affected by 45 other vulnerabilities. |
|
VCID-57tk-3v58-aaaj
Aliases: CVE-2019-13118 GHSA-cf46-6xxh-pc75 |
In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data. |
Affected by 36 other vulnerabilities. |
|
VCID-5g2v-sxrc-aaaf
Aliases: CVE-2022-24836 GHSA-crjr-9rc5-ghw8 |
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for this issue. |
Affected by 19 other vulnerabilities. |
|
VCID-76fj-htxj-aaah
Aliases: CVE-2019-18197 GHSA-242x-7cm6-4w8j |
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed. |
Affected by 36 other vulnerabilities. |
|
VCID-7yj5-4vjb-aaar
Aliases: CVE-2021-41098 GHSA-2rr5-8q37-2w7h |
Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby |
Affected by 27 other vulnerabilities. |
|
VCID-7ytf-hshe-aaaa
Aliases: GHSA-r95h-9x8f-r3f7 |
Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459 |
Affected by 4 other vulnerabilities. |
|
VCID-9y6t-uz46-aaad
Aliases: CVE-2017-5029 GHSA-pf6m-fxpq-fg8v |
The xsltAddTextString function in transform.c in libxslt 1.1.29, as used in Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android, lacked a check for integer overflow during a size calculation, which allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. |
Affected by 48 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
VCID-adp7-tpp1-8qbn
Aliases: GHSA-vvfq-8hwr-qm4m |
Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171 ## Summary Nokogiri v1.18.3 upgrades its dependency libxml2 to [v2.13.6](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.6). libxml2 v2.13.6 addresses: - CVE-2025-24928 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847 - CVE-2024-56171 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828 ## Impact ### CVE-2025-24928 Stack-buffer overflow is possible when reporting DTD validation errors if the input contains a long (~3kb) QName prefix. ### CVE-2024-56171 Use-after-free is possible during validation against untrusted XML Schemas (.xsd) and, potentially, validation of untrusted documents against trusted Schemas if they make use of `xsd:keyref` in combination with recursively defined types that have additional identity constraints. |
Affected by 2 other vulnerabilities. |
|
VCID-b8ge-qb4s-aaad
Aliases: CVE-2022-40304 |
An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked. |
Affected by 15 other vulnerabilities. |
|
VCID-crfj-ka8q-aaad
Aliases: CVE-2019-5815 GHSA-vmfx-gcfq-wvm2 |
Access of Resource Using Incompatible Type (Type Confusion) Type confusion in `xsltNumberFormatGetMultipleLevel` in libxslt, which is included in nokogiri, could allow attackers to potentially exploit heap corruption via crafted XML data. |
Affected by 39 other vulnerabilities. Affected by 36 other vulnerabilities. |
|
VCID-duvb-k7ce-aaar
Aliases: CVE-2022-29181 GHSA-xh29-r2w5-wx8m |
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a `String` by calling `#to_s` or equivalent. |
Affected by 17 other vulnerabilities. |
|
VCID-dwdk-kk6d-43b2
Aliases: GHSA-5w6v-399v-w3cc |
Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415 |
Affected by 0 other vulnerabilities. |
|
VCID-ejvv-2b2c-aaan
Aliases: GHSA-pxvg-2qj5-37jq GMS-2023-1115 |
Nokogiri updates packaged libxml2 to v2.10.4 to resolve multiple CVEs |
Affected by 10 other vulnerabilities. |
|
VCID-fke8-gpzm-aaad
Aliases: CVE-2022-40303 |
An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault. |
Affected by 15 other vulnerabilities. |
|
VCID-gn1q-6cht-aaap
Aliases: CVE-2021-3537 GHSA-286v-pcf5-25rc |
A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability. |
Affected by 30 other vulnerabilities. |
|
VCID-jbh9-k85r-aaar
Aliases: CVE-2020-26247 GHSA-vr8q-g5c7-m54m |
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4. |
Affected by 35 other vulnerabilities. Affected by 33 other vulnerabilities. |
|
VCID-m7ct-1jfm-aaaj
Aliases: CVE-2018-14404 GHSA-6qvp-r6r3-9p7h |
A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application. |
Affected by 42 other vulnerabilities. |
|
VCID-mpuz-tm4y-aaad
Aliases: CVE-2016-4658 GHSA-fr52-4hqw-p27f |
Nokogiri does not forbid namespace nodes in XPointer ranges |
Affected by 48 other vulnerabilities. |
|
VCID-n1r2-jqwt-jucp
Aliases: GHSA-5mwf-688x-mr7x |
Duplicate Advisory: Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171 Nokogiri v1.18.3 upgrades its dependency libxml2 to [v2.13.6](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.6). libxml2 v2.13.6 addresses: - CVE-2025-24928 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847 - CVE-2024-56171 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828 |
Affected by 2 other vulnerabilities. |
|
VCID-n3rk-tdn9-aaaa
Aliases: CVE-2022-23308 |
valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes. |
Affected by 25 other vulnerabilities. |
|
VCID-nuy6-81wq-aaaa
Aliases: CVE-2017-18258 GHSA-882p-jqgm-f45g |
Moderate severity vulnerability that affects nokogiri |
Affected by 43 other vulnerabilities. |
|
VCID-pjrb-txh7-aaak
Aliases: CVE-2018-8048 GHSA-x7rv-cr6v-4vm4 |
Moderate severity vulnerability that affects loofah |
Affected by 43 other vulnerabilities. |
|
VCID-psj6-phjv-a7bb
Aliases: GHSA-mrxw-mxhj-p664 |
Nokogiri updates packaged libxslt to v1.1.43 to resolve multiple CVEs ## Summary Nokogiri v1.18.4 upgrades its dependency libxslt to [v1.1.43](https://gitlab.gnome.org/GNOME/libxslt/-/releases/v1.1.43). libxslt v1.1.43 resolves: - CVE-2025-24855: Fix use-after-free of XPath context node - CVE-2024-55549: Fix UAF related to excluded namespaces ## Impact ### CVE-2025-24855 - "Use-after-free due to xsltEvalXPathStringNs leaking xpathCtxt->node" - MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H - Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/128 - NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2025-24855 ### CVE-2024-55549 - "Use-after-free related to excluded result prefixes" - MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H - Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/127 - NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2024-55549 |
Affected by 1 other vulnerability. |
|
VCID-rc6j-z37r-aaaq
Aliases: GHSA-r3w4-36x6-7r99 |
Duplicate Advisory: Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459 |
Affected by 4 other vulnerabilities. |
|
VCID-rfmt-xmc2-aaan
Aliases: GHSA-xxx9-3xcr-gjj3 GMS-2022-788 |
XML Injection in Xerces Java affects Nokogiri |
Affected by 19 other vulnerabilities. |
|
VCID-rg4z-at9n-aaaa
Aliases: CVE-2020-24977 |
GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in commit 50f06b3e. |
Affected by 30 other vulnerabilities. |
|
VCID-scun-vfj2-aaaq
Aliases: GHSA-gx8x-g87m-h5q6 GMS-2022-786 |
Denial of Service (DoS) in Nokogiri on JRuby |
Affected by 19 other vulnerabilities. |
|
VCID-sdba-sgwc-aaaj
Aliases: CVE-2021-3541 |
A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service. |
Affected by 30 other vulnerabilities. |
|
VCID-th6j-c7js-aaaf
Aliases: CVE-2017-16932 GHSA-x2fm-93ww-ggvx |
parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities. |
Affected by 45 other vulnerabilities. |
|
VCID-tu3y-7d5y-aaap
Aliases: GHSA-2qc6-mcvw-92cw GMS-2022-5550 |
Update bundled libxml2 to v2.10.3 to resolve multiple CVEs |
Affected by 15 other vulnerabilities. |
|
VCID-tvba-4tuf-aaam
Aliases: GHSA-cgx6-hpwq-fhv5 GMS-2022-1438 |
Integer Overflow or Wraparound in libxml2 affects Nokogiri |
Affected by 18 other vulnerabilities. |
|
VCID-u9nd-yvuf-aaas
Aliases: GHSA-vcc3-rw6f-jv97 |
Use-after-free in libxml2 via Nokogiri::XML::Reader |
Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-us2h-627w-aaab
Aliases: CVE-2022-23476 GHSA-qv4q-mr5r-qprj |
Unchecked return value from xmlTextReaderExpand |
Affected by 12 other vulnerabilities. |
|
VCID-v5mj-f96s-aaas
Aliases: CVE-2018-25032 GHSA-jc36-42cf-vqwj |
Affected by 19 other vulnerabilities. |
|
|
VCID-vekd-aqst-aaas
Aliases: CVE-2017-15412 GHSA-r58r-74gx-6wx3 |
Use After Free Use after free in libxml2, as used in Google Chrome and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
Affected by 43 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-wcpw-96g6-aaah
Aliases: GHSA-fq42-c5rg-92c2 GMS-2022-163 |
Vulnerable dependencies in Nokogiri |
Affected by 25 other vulnerabilities. |
|
VCID-wdr9-vsu9-aaap
Aliases: CVE-2021-3518 GHSA-v4f8-2847-rwm7 |
There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability. |
Affected by 30 other vulnerabilities. |
|
VCID-wunb-embq-aaaq
Aliases: CVE-2023-29469 |
Double Free An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\0' value). |
Affected by 10 other vulnerabilities. |
|
VCID-z4sj-ns7c-aaaf
Aliases: CVE-2020-7595 GHSA-7553-jr98-vx47 |
xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. |
Affected by 35 other vulnerabilities. |
|
VCID-zdpk-yrsb-aaag
Aliases: GHSA-7rrm-v45f-jp64 GMS-2021-171 |
Update packaged dependency libxml2 from 2.9.10 to 2.9.12 |
Affected by 30 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||