The Wayback Machine - https://web.archive.org/web/20230125012525/https://github.com/advisories/GHSA-xh29-r2w5-wx8m
Skip to content

Nokogiri Improperly Handles Unexpected Data Type

High severity GitHub Reviewed Published May 23, 2022 in sparklemotion/nokogiri • Updated Jan 6, 2023

Package

bundler nokogiri (RubyGems)

Affected versions

< 1.13.6

Patched versions

1.13.6

Description

Summary

Nokogiri < v1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers. For CRuby users, this may allow specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory.

Severity

The Nokogiri maintainers have evaluated this as High 8.2 (CVSS3.1).

Mitigation

CRuby users should upgrade to Nokogiri >= 1.13.6.

JRuby users are not affected.

Workarounds

To avoid this vulnerability in affected applications, ensure the untrusted input is a String by calling #to_s or equivalent.

Credit

This vulnerability was responsibly reported by @agustingianni and the Github Security Lab.

References

@flavorjones flavorjones published the maintainer security advisory May 8, 2022

Severity

High
8.2
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

CVE ID

CVE-2022-29181

GHSA ID

GHSA-xh29-r2w5-wx8m
Checking history
See something to contribute? Suggest improvements for this vulnerability.