CVE-2013-6460
Description
Nokogiri gem 1.5.x has Denial of Service via infinite loop when parsing XML documents
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Nokogiri gem 1.5.x has a denial of service vulnerability via infinite loop when parsing specially crafted XML documents.
Vulnerability
Description
CVE-2013-6460 is a denial of service vulnerability in the Nokogiri gem for Ruby, specifically in versions 1.5.x. The bug occurs during XML parsing, where a specially crafted XML document can trigger an error that causes an infinite loop, leading to excessive memory consumption and a crash. This issue was reported to Red Hat and assigned this CVE identifier [1][4].
Exploitation
An attacker can exploit this vulnerability by providing a malicious XML document to an application using the affected Nokogiri gem. The attack does not require authentication or complex prerequisites; simply parsing the crafted input is sufficient to trigger the infinite loop. The vulnerability is rooted in the parsing logic that fails to handle certain malformed XML constructs gracefully [1][3].
Impact
Successful exploitation results in a denial of service condition. The infinite loop exhausts system memory, potentially causing the Ruby process or the entire application to crash. This can disrupt the availability of services that rely on Nokogiri for XML processing [1][4].
Mitigation
Users of Nokogiri 1.5.x should upgrade to a patched version. The Nokogiri project has addressed this issue in later releases (e.g., 1.6.x and beyond). The NVD entry also lists references to the oss-security mailing list disclosure and Red Hat advisory [2][3]. No workaround other than upgrading is known.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nokogiriRubyGems | >= 1.5.0, < 1.5.11 | 1.5.11 |
nokogiriRubyGems | >= 1.6.0, < 1.6.1 | 1.6.1 |
Affected products
2- Ruby/Nokogiri gemv5Range: 1.5.x
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- github.com/advisories/GHSA-62qp-3fxm-9wxfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-6460ghsaADVISORY
- www.openwall.com/lists/oss-security/2013/12/27/2ghsax_refsource_MISCWEB
- www.securityfocus.com/bid/64513mitrex_refsource_MISC
- access.redhat.com/security/cve/cve-2013-6460ghsax_refsource_MISCWEB
- bugzilla.redhat.com/show_bug.cgighsax_refsource_MISCWEB
- bugzilla.suse.com/show_bug.cgighsax_refsource_MISCWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/90058ghsax_refsource_MISCWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2013-6460.ymlghsaWEB
- security-tracker.debian.org/tracker/CVE-2013-6460ghsax_refsource_MISCWEB
- web.archive.org/web/20200229074427/https://www.securityfocus.com/bid/64513ghsaWEB
News mentions
0No linked articles in our index yet.