VYPR
← All advisories
High severityNVD Advisory· Published Dec 8, 2022· Updated Apr 23, 2025

Unchecked return value from xmlTextReaderExpand in Nokogiri

CVE-2022-23476

Description

Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri 1.13.8 and 1.13.9 fail to check the return value from xmlTextReaderExpand in the method Nokogiri::XML::Reader#attribute_hash. This can lead to a null pointer exception when invalid markup is being parsed. For applications using XML::Reader to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri >= 1.13.10. Users may be able to search their code for calls to either XML::Reader#attributes or XML::Reader#attribute_hash to determine if they are affected.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Nokogiri 1.13.8/1.13.9 fail to check xmlTextReaderExpand return value, causing DoS via null pointer exception on malformed XML.

Vulnerability

CVE-2022-23476 is a null pointer dereference vulnerability in the Ruby Nokogiri library (versions 1.13.8 and 1.13.9). The flaw exists in Nokogiri::XML::Reader#attribute_hash (and consequently #attributes), which invokes xmlTextReaderExpand without verifying the return value. When the parser encounters invalid or malformed markup, xmlTextReaderExpand may return NULL, leading to a null pointer exception [1][2].

Exploitation

An attacker can trigger this vulnerability by supplying crafted, malformed XML or HTML input to an application that uses Nokogiri's XML::Reader to parse untrusted data. No authentication is required; the attack is purely data-driven. The affected methods are #attributes and #attribute_hash; developers can review their code for calls to these methods to assess exposure [2][4].

Impact

Successful exploitation results in a null pointer exception, causing the Ruby process to crash. This constitutes a denial of service (DoS) condition. The impact is limited to denial of service; the description does not indicate potential for code execution or data breach [2].

Mitigation

The vulnerability is fixed in Nokogiri version 1.13.10 and later. Users should upgrade to at least 1.13.10. The fix ensures that when xmlTextReaderExpand returns NULL, #attribute_hash returns nil instead of proceeding with a null pointer [2][4]. No workaround is provided other than upgrading or avoiding the use of XML::Reader with untrusted data on vulnerable versions.

References
  1. GitHub - sparklemotion/nokogiri: Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby.
  2. NVD - CVE-2022-23476
  3. fix(cruby): XML::Reader#attribute_hash returns nil on error · sparklemotion/nokogiri@9fe0761

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
nokogiriRubyGems
>= 1.13.8, < 1.13.101.13.10

Affected products

4

Patches

2
85410e38410f

Merge pull request #2715 from sparklemotion/flavorjones-fix-reader-error-handling_v1.13.x

https://github.com/sparklemotion/nokogiriMike DalessioDec 7, 2022via ghsa
commit
3 files changed · +43 0
  • CHANGELOG.md+7 0 modified
    @@ -4,6 +4,13 @@ Nokogiri follows [Semantic Versioning](https://semver.org/), please see the [REA
 
 ---
 
+## next / unreleased
+
+### Improvements
+
+* [CRuby] `XML::Reader#attribute_hash` now returns `nil` on parse errors. This restores the behavior of `#attributes` from v1.13.7 and earlier. [[#2715](https://github.com/sparklemotion/nokogiri/issues/2715)]
+
+
 ## 1.13.9 / 2022-10-18
 
 ### Security
  • ext/nokogiri/xml_reader.c+4 0 modified
    @@ -212,6 +212,10 @@ rb_xml_reader_attribute_hash(VALUE rb_reader)
   }
 
   c_node = xmlTextReaderExpand(c_reader);
+  if (c_node == NULL) {
+    return Qnil;
+  }
+
   c_property = c_node->properties;
   while (c_property != NULL) {
     VALUE rb_name = NOKOGIRI_STR_NEW2(c_property->name);
  • test/xml/test_reader.rb+32 0 modified
    @@ -681,6 +681,38 @@ def test_nonexistent_attribute
         reader.read # el
         assert_nil(reader.attribute("other"))
       end
+
+      def test_broken_markup_attribute_hash
+        xml = <<~XML
+          <root><foo bar="asdf" xmlns:quux="qwer">
+        XML
+        reader = Nokogiri::XML::Reader(xml)
+        reader.read # root
+        reader.read # foo
+
+        assert_equal("foo", reader.name)
+        if Nokogiri.jruby?
+          assert_equal({ "bar" => "asdf" }, reader.attribute_hash)
+        else
+          assert_nil(reader.attribute_hash)
+        end
+      end
+
+      def test_broken_markup_namespaces
+        xml = <<~XML
+          <root><foo bar="asdf" xmlns:quux="qwer">
+        XML
+        reader = Nokogiri::XML::Reader(xml)
+        reader.read # root
+        reader.read # foo
+
+        assert_equal("foo", reader.name)
+        if Nokogiri.jruby?
+          assert_equal({ "xmlns:quux" => "qwer" }, reader.namespaces)
+        else
+          assert_nil(reader.namespaces)
+        end
+      end
     end
   end
 end
9fe0761c47c0

fix(cruby): XML::Reader#attribute_hash returns nil on error

https://github.com/sparklemotion/nokogiriMike DalessioDec 6, 2022via ghsa
commit
3 files changed · +43 0
  • CHANGELOG.md+7 0 modified
    @@ -4,6 +4,13 @@ Nokogiri follows [Semantic Versioning](https://semver.org/), please see the [REA
 
 ---
 
+## next / unreleased
+
+### Improvements
+
+* [CRuby] `XML::Reader#attribute_hash` now returns `nil` on parse errors. This restores the behavior of `#attributes` from v1.13.7 and earlier. [[#2715](https://github.com/sparklemotion/nokogiri/issues/2715)]
+
+
 ## 1.13.9 / 2022-10-18
 
 ### Security
  • ext/nokogiri/xml_reader.c+4 0 modified
    @@ -212,6 +212,10 @@ rb_xml_reader_attribute_hash(VALUE rb_reader)
   }
 
   c_node = xmlTextReaderExpand(c_reader);
+  if (c_node == NULL) {
+    return Qnil;
+  }
+
   c_property = c_node->properties;
   while (c_property != NULL) {
     VALUE rb_name = NOKOGIRI_STR_NEW2(c_property->name);
  • test/xml/test_reader.rb+32 0 modified
    @@ -681,6 +681,38 @@ def test_nonexistent_attribute
         reader.read # el
         assert_nil(reader.attribute("other"))
       end
+
+      def test_broken_markup_attribute_hash
+        xml = <<~XML
+          <root><foo bar="asdf" xmlns:quux="qwer">
+        XML
+        reader = Nokogiri::XML::Reader(xml)
+        reader.read # root
+        reader.read # foo
+
+        assert_equal("foo", reader.name)
+        if Nokogiri.jruby?
+          assert_equal({ "bar" => "asdf" }, reader.attribute_hash)
+        else
+          assert_nil(reader.attribute_hash)
+        end
+      end
+
+      def test_broken_markup_namespaces
+        xml = <<~XML
+          <root><foo bar="asdf" xmlns:quux="qwer">
+        XML
+        reader = Nokogiri::XML::Reader(xml)
+        reader.read # root
+        reader.read # foo
+
+        assert_equal("foo", reader.name)
+        if Nokogiri.jruby?
+          assert_equal({ "xmlns:quux" => "qwer" }, reader.namespaces)
+        else
+          assert_nil(reader.namespaces)
+        end
+      end
     end
   end
 end

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.