VYPR
← All advisories
High severityNVD Advisory· Published Aug 3, 2021· Updated May 5, 2025

CVE-2021-30560

CVE-2021-30560

Description

Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free in Chrome's XSLT handling (Blink XSLT) allows remote code execution via crafted HTML.

Vulnerability

A use-after-free vulnerability exists in the Blink XSLT component of Google Chrome prior to version 91.0.4472.164. This memory corruption bug is triggered when processing a crafted HTML page that includes XSL transformations. Attackers can exploit this flaw by convincing a user to visit a malicious webpage. The affected versions are all Chrome releases before 91.0.4472.164. The flaw is also present in libxslt versions prior to 1.1.35, as used by Nokogiri < 1.13.2 [1][3].

Exploitation

An attacker requires no special privileges; they only need to host or inject a malicious HTML page that exploits the use-after-free in the XSLT parser. When a victim visits the page with an affected browser, the crafted content triggers the vulnerable code path. No user interaction beyond visiting the page is required. The exploitation may lead to heap corruption that an attacker can leverage for code execution [2][3].

Impact

Successful exploitation allows an attacker to achieve remote code execution (RCE) in the context of the browser process, leading to full compromise of the affected system. The CVSS score of this vulnerability is 8.8 (High) [3]. The impact includes information disclosure, denial of service, and arbitrary code execution. In the context of Nokogiri, applications using untrusted XSL stylesheets to transform XML are vulnerable to denial of service [3].

Mitigation

The vulnerability is fixed in Google Chrome version 91.0.4472.164 and later [2]. For the libxslt library, the fix is included in version 1.1.35 [3]. Nokogiri users should upgrade to version 1.13.2 or later, which vendors the patched libxslt [3]. Users unable to upgrade can compile and link Nokogiri against system libraries with libxslt >= 1.1.35 [3]. No workaround is available for Chrome itself other than updating [2].

References
  1. GitHub - sparklemotion/nokogiri: Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby.
  2. NVD - CVE-2021-30560
  3. Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
nokogiriRubyGems
< 1.13.21.13.2

Affected products

44

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

10

News mentions

0

No linked articles in our index yet.