CVE-2019-5815
Description
Type confusion in xsltNumberFormatGetMultipleLevel prior to libxslt 1.1.33 could allow attackers to potentially exploit heap corruption via crafted XML data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Type confusion in libxslt's xsltNumberFormatGetMultipleLevel before 1.1.33 allows heap corruption via crafted XML, affecting Nokogiri users.
Vulnerability
Description
CVE-2019-5815 is a type confusion vulnerability in the xsltNumberFormatGetMultipleLevel function of libxslt prior to version 1.1.33. This bug allows an attacker to potentially trigger heap corruption by providing specially crafted XML data to an application that performs XSLT transformations using the vulnerable library [1][2]. Type confusion occurs when a program accesses a resource using an incompatible type, leading to memory corruption and potentially arbitrary code execution.
Attack
Vector
The vulnerability is triggered when libxslt processes a maliciously crafted XML document during XSLT number formatting. No authentication is required, as the attack surface is through parsing untrusted XML input. Applications that use libxslt to transform user-supplied XML are at risk, including the popular Ruby library Nokogiri, which vendors libxslt for XML and XSLT processing [1][3].
Impact
Successful exploitation of this heap corruption issue could allow an attacker to crash the application or execute arbitrary code in the context of the process. The severity is elevated because libxslt is widely used in web applications and services that handle untrusted XML, potentially leading to remote code execution [2].
Mitigation
The fix was released in libxslt version 1.1.34, which was then vendored into Nokogiri starting from version 1.10.5. Users are advised to upgrade Nokogiri to at least version 1.10.5 or libxslt to 1.1.34 or later. For users of packages that bundle libxslt (e.g., Nokogiri), updating to the latest patched version is the recommended mitigation [4]. The vulnerability was also addressed in Ubuntu's libxslt package via USN-5575-1 [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nokogiriRubyGems | < 1.10.5 | 1.10.5 |
Affected products
7- ghsa-coords6 versionspkg:gem/nokogiripkg:rpm/opensuse/chromium&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/chromium&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/chromium&distro=openSUSE%20Tumbleweedpkg:rpm/suse/chromium&distro=SUSE%20Package%20Hub%2012%20SP3pkg:rpm/suse/chromium&distro=SUSE%20Package%20Hub%2015
< 1.10.5+ 5 more
- (no CPE)range: < 1.10.5
- (no CPE)range: < 74.0.3729.108-lp150.209.2
- (no CPE)range: < 75.0.3770.90-bp150.213.3
- (no CPE)range: < 93.0.4577.82-1.1
- (no CPE)range: < 75.0.3770.90-bp150.213.3
- (no CPE)range: < 75.0.3770.90-bp150.213.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-vmfx-gcfq-wvm2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-5815ghsaADVISORY
- bugs.chromium.org/p/chromium/issues/detailmitrex_refsource_MISC
- github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-5815.ymlghsaWEB
- github.com/sparklemotion/nokogiri/issues/2630ghsaWEB
- gitlab.gnome.org/GNOME/libxslt/commit/08b62c25871b38d5d573515ca8a065b4b8f64f6bghsax_refsource_MISCWEB
- lists.debian.org/debian-lts-announce/2022/09/msg00010.htmlghsamailing-listx_refsource_MLISTWEB
News mentions
0No linked articles in our index yet.