Search for vulnerabilities
Vulnerability details: VCID-refb-dn2k-b7cq
Vulnerability ID VCID-refb-dn2k-b7cq
Aliases GHSA-xc9x-jj77-9p9j
GMS-2024-127
Summary Use-after-free in libxml2 via Nokogiri::XML::Reader ### Summary Nokogiri upgrades its dependency libxml2 as follows: - v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6 - v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4 libxml2 v2.11.7 and v2.12.5 address the following vulnerability: CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604 - patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970 Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements. JRuby users are not affected. ### Severity The Nokogiri maintainers have evaluated this as **Moderate**. ### Impact From the CVE description, this issue applies to the `xmlTextReader` module (which underlies `Nokogiri::XML::Reader`): > When using the XML Reader interface with DTD validation and XInclude expansion enabled, > processing crafted XML documents can lead to an xmlValidatePopElement use-after-free. ### Mitigation Upgrade to Nokogiri `~> 1.15.6` or `>= 1.16.2`. Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against patched external libxml2 libraries which will also address these same issues.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-416 Use After Free
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-xc9x-jj77-9p9j
generic_textual MODERATE https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-xc9x-jj77-9p9j.yml
generic_textual MODERATE https://github.com/sparklemotion/nokogiri
generic_textual MODERATE https://github.com/sparklemotion/nokogiri/discussions/3146
cvssv3.1_qr MODERATE https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j
generic_textual MODERATE https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j
generic_textual MODERATE https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970
generic_textual MODERATE https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
generic_textual MODERATE https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.5
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2024-25062
Reference id Reference type URL
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-xc9x-jj77-9p9j.yml
https://github.com/sparklemotion/nokogiri
https://github.com/sparklemotion/nokogiri/discussions/3146
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j
https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970
https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.5
https://nvd.nist.gov/vuln/detail/CVE-2024-25062
GHSA-xc9x-jj77-9p9j https://github.com/advisories/GHSA-xc9x-jj77-9p9j
No exploits are available.

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2025-07-31T08:04:55.882224+00:00 Ruby Importer Import https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-xc9x-jj77-9p9j.yml 37.0.0