Search for vulnerabilities
Vulnerability details: VCID-rcuu-68e3-1bgq
Vulnerability ID VCID-rcuu-68e3-1bgq
Aliases CVE-2021-30560
GHSA-59gp-qqm7-cw4j
GHSA-fq42-c5rg-92c2
GMS-2022-163
Summary Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35) ## Summary Nokogiri v1.13.2 upgrades two of its packaged dependencies: * vendored libxml2 from v2.9.12 to v2.9.13 * vendored libxslt from v1.1.34 to v1.1.35 Those library versions address the following upstream CVEs: * libxslt: CVE-2021-30560 (CVSS 8.8, High severity) * libxml2: CVE-2022-23308 (Unspecified severity, see more information below) Those library versions also address numerous other issues including performance improvements, regression fixes, and bug fixes, as well as memory leaks and other use-after-free issues that were not assigned CVEs. Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.2, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's `libxml2` and `libxslt` release announcements. ## Mitigation Upgrade to Nokogiri >= 1.13.2. Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link an older version Nokogiri against external libraries libxml2 >= 2.9.13 and libxslt >= 1.1.35, which will also address these same CVEs. ## Impact * libxslt CVE-2021-30560 * CVSS3 score: 8.8 (High) Fixed by https://gitlab.gnome.org/GNOME/libxslt/-/commit/50f9c9c All versions of libxslt prior to v1.1.35 are affected. Applications using untrusted XSL stylesheets to transform XML are vulnerable to a denial-of-service attack and should be upgraded immediately. libxml2 CVE-2022-23308 * As of the time this security advisory was published, there is no officially published information available about this CVE's severity. The above NIST link does not yet have a published record, and the libxml2 maintainer has declined to provide a severity score. * Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12 * Further explanation is at https://mail.gnome.org/archives/xml/2022-February/msg00015.html The upstream commit and the explanation linked above indicate that an application may be vulnerable to a denial of service, memory disclosure, or code execution if it parses an untrusted document with parse options `DTDVALID` set to true, and `NOENT` set to false. An analysis of these parse options: * While `NOENT` is off by default for Document, DocumentFragment, Reader, and Schema parsing, it is on by default for XSLT (stylesheet) parsing in Nokogiri v1.12.0 and later. * `DTDVALID` is an option that Nokogiri does not set for any operations, and so this CVE applies only to applications setting this option explicitly. It seems reasonable to assume that any application explicitly setting the parse option `DTDVALID` when parsing untrusted documents is vulnerable and should be upgraded immediately.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-416 Use After Free
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
System Score Found at
epss 0.00092 https://api.first.org/data/v1/epss?cve=CVE-2021-30560
epss 0.00092 https://api.first.org/data/v1/epss?cve=CVE-2021-30560
epss 0.00092 https://api.first.org/data/v1/epss?cve=CVE-2021-30560
epss 0.00092 https://api.first.org/data/v1/epss?cve=CVE-2021-30560
epss 0.00092 https://api.first.org/data/v1/epss?cve=CVE-2021-30560
epss 0.00092 https://api.first.org/data/v1/epss?cve=CVE-2021-30560
epss 0.00092 https://api.first.org/data/v1/epss?cve=CVE-2021-30560
epss 0.00092 https://api.first.org/data/v1/epss?cve=CVE-2021-30560
epss 0.00092 https://api.first.org/data/v1/epss?cve=CVE-2021-30560
epss 0.00092 https://api.first.org/data/v1/epss?cve=CVE-2021-30560
epss 0.00092 https://api.first.org/data/v1/epss?cve=CVE-2021-30560
epss 0.00092 https://api.first.org/data/v1/epss?cve=CVE-2021-30560
epss 0.00092 https://api.first.org/data/v1/epss?cve=CVE-2021-30560
epss 0.00092 https://api.first.org/data/v1/epss?cve=CVE-2021-30560
epss 0.00092 https://api.first.org/data/v1/epss?cve=CVE-2021-30560
epss 0.00092 https://api.first.org/data/v1/epss?cve=CVE-2021-30560
epss 0.00092 https://api.first.org/data/v1/epss?cve=CVE-2021-30560
epss 0.00092 https://api.first.org/data/v1/epss?cve=CVE-2021-30560
epss 0.00092 https://api.first.org/data/v1/epss?cve=CVE-2021-30560
cvssv3.1 8.8 https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop.html
generic_textual HIGH https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop.html
cvssv3.1 8.8 https://crbug.com/1219209
generic_textual HIGH https://crbug.com/1219209
cvssv3.1 8.8 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-59gp-qqm7-cw4j
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-fq42-c5rg-92c2
cvssv3.1 8.8 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2021-30560.yml
generic_textual HIGH https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2021-30560.yml
cvssv3.1 8.8 https://github.com/sparklemotion/nokogiri
generic_textual HIGH https://github.com/sparklemotion/nokogiri
cvssv3.1 8.8 https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.2
generic_textual HIGH https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.2
cvssv3 8.8 https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2
cvssv3.1 8.8 https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2
cvssv3.1_qr HIGH https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2
generic_textual HIGH https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2
cvssv3.1 8.8 https://lists.debian.org/debian-lts-announce/2022/09/msg00010.html
generic_textual HIGH https://lists.debian.org/debian-lts-announce/2022/09/msg00010.html
cvssv2 6.8 https://nvd.nist.gov/vuln/detail/CVE-2021-30560
cvssv3.1 8.8 https://nvd.nist.gov/vuln/detail/CVE-2021-30560
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2021-30560
archlinux High https://security.archlinux.org/AVG-2166
archlinux High https://security.archlinux.org/AVG-2167
cvssv3.1 8.8 https://security.gentoo.org/glsa/202310-23
generic_textual HIGH https://security.gentoo.org/glsa/202310-23
cvssv3.1 8.8 https://www.debian.org/security/2022/dsa-5216
generic_textual HIGH https://www.debian.org/security/2022/dsa-5216
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2021-30560
https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop.html
https://crbug.com/1219209
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30560
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2021-30560.yml
https://github.com/sparklemotion/nokogiri
https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.2
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2
https://lists.debian.org/debian-lts-announce/2022/09/msg00010.html
https://nvd.nist.gov/vuln/detail/CVE-2021-30560
https://security.gentoo.org/glsa/202310-23
https://www.debian.org/security/2022/dsa-5216
990079 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990079
ASA-202107-30 https://security.archlinux.org/ASA-202107-30
ASA-202107-31 https://security.archlinux.org/ASA-202107-31
AVG-2166 https://security.archlinux.org/AVG-2166
AVG-2167 https://security.archlinux.org/AVG-2167
cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*
cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*
cpe:2.3:a:xmlsoft:libxslt:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:xmlsoft:libxslt:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
GHSA-59gp-qqm7-cw4j https://github.com/advisories/GHSA-59gp-qqm7-cw4j
GHSA-fq42-c5rg-92c2 https://github.com/advisories/GHSA-fq42-c5rg-92c2
USN-5575-1 https://usn.ubuntu.com/5575-1/
USN-5575-2 https://usn.ubuntu.com/5575-2/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://crbug.com/1219209
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2021-30560.yml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/sparklemotion/nokogiri
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://lists.debian.org/debian-lts-announce/2022/09/msg00010.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2021-30560
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2021-30560
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://security.gentoo.org/glsa/202310-23
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://www.debian.org/security/2022/dsa-5216
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.26956
EPSS Score 0.00092
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:04:55.594204+00:00 Ruby Importer Import https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2021-30560.yml 37.0.0