Search for vulnerabilities
Vulnerability details: VCID-qzdv-5fc6-vbea
Vulnerability ID VCID-qzdv-5fc6-vbea
Aliases CVE-2015-7499
GHSA-jxjr-5h69-qw3w
Summary Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2 Nokogiri version 1.6.7.2 has been released, pulling in several upstream patches to the vendored libxml2 to address the following CVE: CVE-2015-7499 CVSS v2 Base Score: 5.0 (MEDIUM) Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors. libxml2 could be made to crash if it opened a specially crafted file. It was discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause libxml2 to crash, resulting in a denial of service.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-122 Heap-based Buffer Overflow
System Score Found at
generic_textual MODERATE http://lists.opensuse.org/opensuse-updates/2015-12/msg00120.html
generic_textual MODERATE http://lists.opensuse.org/opensuse-updates/2016-01/msg00031.html
generic_textual MODERATE http://rhn.redhat.com/errata/RHSA-2015-2549.html
generic_textual MODERATE http://rhn.redhat.com/errata/RHSA-2015-2550.html
epss 0.01538 https://api.first.org/data/v1/epss?cve=CVE-2015-7499
epss 0.01538 https://api.first.org/data/v1/epss?cve=CVE-2015-7499
epss 0.01538 https://api.first.org/data/v1/epss?cve=CVE-2015-7499
epss 0.01538 https://api.first.org/data/v1/epss?cve=CVE-2015-7499
epss 0.01538 https://api.first.org/data/v1/epss?cve=CVE-2015-7499
epss 0.01538 https://api.first.org/data/v1/epss?cve=CVE-2015-7499
epss 0.01538 https://api.first.org/data/v1/epss?cve=CVE-2015-7499
epss 0.01538 https://api.first.org/data/v1/epss?cve=CVE-2015-7499
epss 0.01538 https://api.first.org/data/v1/epss?cve=CVE-2015-7499
epss 0.01538 https://api.first.org/data/v1/epss?cve=CVE-2015-7499
epss 0.01538 https://api.first.org/data/v1/epss?cve=CVE-2015-7499
epss 0.01538 https://api.first.org/data/v1/epss?cve=CVE-2015-7499
epss 0.01538 https://api.first.org/data/v1/epss?cve=CVE-2015-7499
epss 0.01538 https://api.first.org/data/v1/epss?cve=CVE-2015-7499
epss 0.01538 https://api.first.org/data/v1/epss?cve=CVE-2015-7499
epss 0.0185 https://api.first.org/data/v1/epss?cve=CVE-2015-7499
epss 0.0185 https://api.first.org/data/v1/epss?cve=CVE-2015-7499
epss 0.0185 https://api.first.org/data/v1/epss?cve=CVE-2015-7499
epss 0.0185 https://api.first.org/data/v1/epss?cve=CVE-2015-7499
epss 0.0185 https://api.first.org/data/v1/epss?cve=CVE-2015-7499
epss 0.0185 https://api.first.org/data/v1/epss?cve=CVE-2015-7499
epss 0.0185 https://api.first.org/data/v1/epss?cve=CVE-2015-7499
epss 0.0185 https://api.first.org/data/v1/epss?cve=CVE-2015-7499
generic_textual MODERATE https://bugzilla.redhat.com/show_bug.cgi?id=1281925
generic_textual MODERATE https://git.gnome.org/browse/libxml2/commit/?id=28cd9cb747a94483f4aea7f0968d202c20bb4cfc
generic_textual MODERATE https://git.gnome.org/browse/libxml2/commit/?id=35bcb1d758ed70aa7b257c9c3b3ff55e54e3d0da
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-jxjr-5h69-qw3w
generic_textual MODERATE https://github.com/advisories/GHSA-jxjr-5h69-qw3w
generic_textual MODERATE https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-7499.yml
generic_textual MODERATE https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2015-7499
generic_textual MODERATE https://security.gentoo.org/glsa/201701-37
generic_textual MODERATE https://web.archive.org/web/20210724022841/http://www.securityfocus.com/bid/79509
generic_textual MODERATE https://web.archive.org/web/20211205133229/https://securitytracker.com/id/1034243
generic_textual MODERATE http://www.debian.org/security/2015/dsa-3430
generic_textual MODERATE http://www.ubuntu.com/usn/USN-2834-1
generic_textual MODERATE http://xmlsoft.org/news.html
Reference id Reference type URL
http://lists.opensuse.org/opensuse-updates/2015-12/msg00120.html
http://lists.opensuse.org/opensuse-updates/2016-01/msg00031.html
http://rhn.redhat.com/errata/RHSA-2015-2549.html
http://rhn.redhat.com/errata/RHSA-2015-2550.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-7499.json
https://api.first.org/data/v1/epss?cve=CVE-2015-7499
https://bugzilla.redhat.com/show_bug.cgi?id=1281925
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1819
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5312
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7497
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7498
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7499
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7500
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7941
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7942
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8035
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8241
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8317
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8710
https://git.gnome.org/browse/libxml2/commit/?id=28cd9cb747a94483f4aea7f0968d202c20bb4cfc
https://git.gnome.org/browse/libxml2/commit/?id=35bcb1d758ed70aa7b257c9c3b3ff55e54e3d0da
https://github.com/advisories/GHSA-jxjr-5h69-qw3w
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-7499.yml
https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM
https://nvd.nist.gov/vuln/detail/CVE-2015-7499
https://security.gentoo.org/glsa/201701-37
https://web.archive.org/web/20210724022841/http://www.securityfocus.com/bid/79509
https://web.archive.org/web/20211205133229/https://securitytracker.com/id/1034243
http://www.debian.org/security/2015/dsa-3430
http://www.ubuntu.com/usn/USN-2834-1
http://xmlsoft.org/news.html
RHSA-2015:2549 https://access.redhat.com/errata/RHSA-2015:2549
RHSA-2015:2550 https://access.redhat.com/errata/RHSA-2015:2550
RHSA-2016:1089 https://access.redhat.com/errata/RHSA-2016:1089
USN-2834-1 https://usn.ubuntu.com/2834-1/
USN-2875-1 https://usn.ubuntu.com/2875-1/
No exploits are available.
Exploit Prediction Scoring System (EPSS)
Percentile 0.80579
EPSS Score 0.01538
Published At Aug. 17, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:04:56.414632+00:00 Ruby Importer Import https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2015-7499.yml 37.0.0