VYPR
← All advisories
High severityNVD Advisory· Published Apr 11, 2022· Updated Sep 3, 2024

Inefficient Regular Expression Complexity in Nokogiri

CVE-2022-24836

Description

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri < v1.13.4 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri >= 1.13.4. There are no known workarounds for this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Nokogiri < 1.13.4 for Ruby contains a ReDoS vulnerability via an inefficient regex used for HTML encoding detection.

Vulnerability

Nokogiri versions < 1.13.4 contain an inefficient regular expression in the HTML encoding detection routine. This regex is susceptible to excessive backtracking when processing certain crafted inputs, leading to a Regular Expression Denial of Service (ReDoS) condition. The affected component is the HTML document parser's encoding detection logic, which can be triggered when Nokogiri is used to parse HTML documents without explicit encoding specified. [2][4]

Exploitation

An attacker can exploit this vulnerability by supplying a specially crafted HTML document to a Ruby application that uses Nokogiri (< 1.13.4) to parse untrusted HTML input. The attack does not require any authentication or special privileges beyond the ability to deliver the malicious document (e.g., via a web upload, API request, or email attachment). When the vulnerable regex attempts to detect the encoding in the crafted HTML, it enters catastrophic backtracking, causing the CPU usage to spike and the processing to hang for an extended period. [2][4]

Impact

Successful exploitation results in a denial of service. The application processing the crafted HTML will become unresponsive while the regex backtracking consumes excessive CPU resources. This can lead to service degradation or complete unavailability for legitimate users. The vulnerability is classified as a security issue because it allows an unauthenticated remote attacker to disrupt the normal operation of the affected system without requiring any special access. [2]

Mitigation

Users are advised to upgrade to Nokogiri >= 1.13.4 to fix the issue. No known workarounds exist for this vulnerability. Upgrading is the only effective mitigation. The fix was released in version 1.13.4 on April 11, 2022. The vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities (KEV) catalog at this time. [2][4]

References
  1. NVD - CVE-2022-24836
  2. ruby-advisory-db/gems/nokogiri/CVE-2022-24836.yml at master · rubysec/ruby-advisory-db

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
nokogiriRubyGems
< 1.13.41.13.4

Affected products

13

Patches

1
e444525ef163

fix(perf): HTML4::EncodingReader detection

https://github.com/sparklemotion/nokogiriMike DalessioApr 10, 2022via ghsa
commit
2 files changed · +13 1
  • lib/nokogiri/html4/document.rb+1 1 modified
    @@ -268,7 +268,7 @@ def start_element(name, attrs = [])
         end
 
         def self.detect_encoding(chunk)
-          (m = chunk.match(/\A(<\?xml[ \t\r\n]+[^>]*>)/)) &&
+          (m = chunk.match(/\A(<\?xml[ \t\r\n][^>]*>)/)) &&
             (return Nokogiri.XML(m[1]).encoding)
 
           if Nokogiri.jruby?
  • test/html4/test_document_encoding.rb+12 0 modified
    @@ -155,6 +155,18 @@ def binopen(file)
             end
           end
         end
+
+        it "does not start backtracking during detection of XHTML encoding" do
+          # this test is a quick and dirty version
+          # of the more complete perf test that is on main.
+          n = 40_000
+          redos_string = "<?xml " + (" " * n)
+          redos_string.encode!("ASCII-8BIT")
+          start_time = Time.now
+          Nokogiri::HTML4(redos_string)
+          elapsed_time = Time.now - start_time
+          assert_operator(elapsed_time, :<, 1)
+        end
       end
     end
   end

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

18

News mentions

0

No linked articles in our index yet.