Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-jfh3-1sgm-7ug2
Vulnerability ID VCID-jfh3-1sgm-7ug2
Aliases GHSA-wx95-c6cv-8532
Summary Nokogiri does not check the return value from xmlC14NExecute ## Summary Nokogiri's CRuby extension fails to check the return value from `xmlC14NExecute` in the method `Nokogiri::XML::Document#canonicalize` and `Nokogiri::XML::Node#canonicalize`. When canonicalization fails, an empty string is returned instead of raising an exception. This incorrect return value may allow downstream libraries to accept invalid or incomplete canonicalized XML, which has been demonstrated to enable signature validation bypass in SAML libraries. JRuby is not affected, as the Java implementation correctly raises `RuntimeError` on canonicalization failure. ## Mitigation Upgrade to Nokogiri `>= 1.19.1`. ## Severity The maintainers have assessed this as **Medium** severity. Nokogiri itself is a parsing library without a clear security boundary related to canonicalization, so the direct impact is that a method returns incorrect data on invalid input. However, this behavior was exploited in practice to bypass SAML signature validation in downstream libraries (see References). ## Credit This vulnerability was responsibly reported by HackerOne researcher `d4d`.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-252 Unchecked Return Value
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-wx95-c6cv-8532
cvssv3.1 5.3 https://github.com/sparklemotion/nokogiri
generic_textual MODERATE https://github.com/sparklemotion/nokogiri
cvssv3 5.3 https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wx95-c6cv-8532
cvssv3.1 5.3 https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wx95-c6cv-8532
cvssv3.1_qr MODERATE https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wx95-c6cv-8532
generic_textual MODERATE https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wx95-c6cv-8532
Reference id Reference type URL
https://github.com/sparklemotion/nokogiri
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wx95-c6cv-8532
GHSA-wx95-c6cv-8532 https://github.com/advisories/GHSA-wx95-c6cv-8532
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/sparklemotion/nokogiri
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wx95-c6cv-8532
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-04-01T12:52:59.157199+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-wx95-c6cv-8532/GHSA-wx95-c6cv-8532.json 38.0.0