CVE-2013-6461
Description
Nokogiri gem 1.5.x and 1.6.x has DoS while parsing XML entities by failing to apply limits
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Nokogiri gem 1.5.x and 1.6.x vulnerable to DoS via XML entity expansion due to missing limits.
Nokogiri, a popular Ruby library for parsing XML and HTML, versions 1.5.x and 1.6.x, is vulnerable to a denial-of-service (DoS) attack when parsing XML entities. The root cause is the failure to apply limits on entity expansion, allowing an attacker to cause resource exhaustion [4].
An attacker can exploit this vulnerability by providing a specially crafted XML document containing deeply nested or recursive entity references. This triggers uncontrolled expansion of entities, consuming excessive CPU time and memory. No authentication is required if the application parses untrusted XML input, making the attack surface broad [1][4].
Successful exploitation leads to a denial-of-service condition: the application may become unresponsive or crash due to memory exhaustion. This can disrupt services relying on Nokogiri to process XML data [1].
The issue has been addressed in later versions of Nokogiri. Users should upgrade to a patched release (e.g., versions after 1.6.x) to mitigate the vulnerability [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nokogiriRubyGems | >= 1.5.0, < 1.5.11 | 1.5.11 |
nokogiriRubyGems | >= 1.6.0, < 1.6.1 | 1.6.1 |
Affected products
2- Ruby/Nokogiri gemv5Range: 1.5.x
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-jmhh-w7xp-wg39ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-6461ghsaADVISORY
- www.openwall.com/lists/oss-security/2013/12/27/2ghsax_refsource_MISCWEB
- www.securityfocus.com/bid/64513mitrex_refsource_MISC
- access.redhat.com/security/cve/cve-2013-6461ghsax_refsource_MISCWEB
- bugzilla.redhat.com/show_bug.cgighsax_refsource_MISCWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/90059ghsax_refsource_MISCWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2013-6461.ymlghsaWEB
- security-tracker.debian.org/tracker/CVE-2013-6461ghsax_refsource_MISCWEB
- web.archive.org/web/20200804224345/https://www.securityfocus.com/bid/64513ghsaWEB
News mentions
0No linked articles in our index yet.