Uncontrolled Resource Consumption in org.cyberneko.html (nokogiri fork)
Description
org.cyberneko.html is an html parser written in Java. The fork of org.cyberneko.html used by Nokogiri (Rubygem) raises a java.lang.OutOfMemoryError exception when parsing ill-formed HTML markup. Users are advised to upgrade to >= 1.9.22.noko2. Note: The upstream library org.cyberneko.html is no longer maintained. Nokogiri uses its own fork of this library located at https://github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.nokogiri:nekohtmlMaven | < 1.9.22.noko2 | 1.9.22.noko2 |
Affected products
1- Range: < 1.9.22.noko2
Patches
1a800fce3b079fix: ensure ill-formed PIs are parsed correctly
1 file changed · +1 −1
src/org/cyberneko/html/HTMLScanner.java+1 −1 modified@@ -2588,7 +2588,7 @@ protected void scanPI() throws IOException { if (c == '?' || c == '/') { char c0 = (char)c; c = fCurrentEntity.read(); - if (c == '>') { + if (c == '>' || c == -1) { break; } fStringBuffer.append(c0);
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-9849-p7jc-9rmvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-24839ghsaADVISORY
- github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773dghsax_refsource_MISCWEB
- github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmvghsax_refsource_CONFIRMWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.