VulnerableCode Vulnerability Details - VCID-adp7-tpp1-8qbn

Search for vulnerabilities

Vulnerability details: VCID-adp7-tpp1-8qbn

Essentials
Severities (5)
References (4)
Severity details (5)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-adp7-tpp1-8qbn
Aliases	GHSA-vvfq-8hwr-qm4m
Summary	Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171 ## Summary Nokogiri v1.18.3 upgrades its dependency libxml2 to [v2.13.6](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.6). libxml2 v2.13.6 addresses: - CVE-2025-24928 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847 - CVE-2024-56171 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828 ## Impact ### CVE-2025-24928 Stack-buffer overflow is possible when reporting DTD validation errors if the input contains a long (~3kb) QName prefix. ### CVE-2024-56171 Use-after-free is possible during validation against untrusted XML Schemas (.xsd) and, potentially, validation of untrusted documents against trusted Schemas if they make use of `xsd:keyref` in combination with recursively defined types that have additional identity constraints.
Status	Published
Exploitability	0.5
Weighted Severity	2.7
Risk	1.4
Affected and Fixed Packages	Package Details

Weaknesses (5)

CWE-121	Stack-based Buffer Overflow
CWE-1395	Dependency on Vulnerable Third-Party Component
CWE-416	Use After Free
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3.1_qr	LOW	https://github.com/advisories/GHSA-vvfq-8hwr-qm4m
generic_textual	LOW	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-vvfq-8hwr-qm4m.yml
generic_textual	LOW	https://github.com/sparklemotion/nokogiri
cvssv3.1_qr	LOW	https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vvfq-8hwr-qm4m
generic_textual	LOW	https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vvfq-8hwr-qm4m

Reference id	Reference type	URL
		https://github.com/sparklemotion/nokogiri
		https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vvfq-8hwr-qm4m
GHSA-vvfq-8hwr-qm4m		https://github.com/advisories/GHSA-vvfq-8hwr-qm4m
GHSA-vvfq-8hwr-qm4m.yml		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-vvfq-8hwr-qm4m.yml

No exploits are available.

No EPSS data available for this vulnerability.

Date	Actor	Action	Source	VulnerableCode Version
2025-03-28T13:37:20.439606+00:00	Ruby Importer	Import	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-vvfq-8hwr-qm4m.yml	36.0.0