CVE-2025-6490
Description
A vulnerability was found in sparklemotion nokogiri c29c920907366cb74af13b4dc2230e9c9e23b833 and classified as problematic. This issue affects the function hashmap_set_with_hash of the file gumbo-parser/src/hashmap.c. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The identifier of the patch is ada4708e5a67114402cd3feb70a4e1d1d7cf773a. It is recommended to apply a patch to fix this issue. The project maintainer explains that the affected code was merged into the main branch but the commit never appeared in an official release.
Patches
1ada4708e5a67gumbo: Make sure to use the char* pointer as the hashmap item (#3524)
2 files changed · +20 −4
gumbo-parser/src/string_set.c+4 −4 modified@@ -8,12 +8,12 @@ static int string_compare(const void *a, const void *b, void *udata) { - return strcmp((const char *)a, (const char *)b); + return strcmp(*(const char **)a, *(const char **)b); } static uint64_t string_hash(const void *item, uint64_t seed0, uint64_t seed1) { - const char *str = (const char *)item; + const char *str = *(const char **)item; return hashmap_xxhash3(str, strlen(str), seed0, seed1); } @@ -31,11 +31,11 @@ void gumbo_string_set_free(GumboStringSet *set) void gumbo_string_set_insert(GumboStringSet *set, const char *str) { - hashmap_set(set, str); + hashmap_set(set, &str); } int gumbo_string_set_contains(GumboStringSet *set, const char *str) { - return hashmap_get(set, str) == NULL ? 0 : 1; + return hashmap_get(set, &str) == NULL ? 0 : 1; }
test/html5/test_attributes.rb+16 −0 modified@@ -27,4 +27,20 @@ def test_duplicate_attributes assert_equal(676, span.attributes.length, "duplicate attribute should be silently ignored") assert_equal("1", span["bb"], "bb attribute should hold the value of the first occurrence") end + + # Using long (longer than 8 bytes) attributes exercises the gumbo hashmap implementation. + # See https://github.com/sparklemotion/nokogiri/issues/3500 + def test_duplicate_attributes_long + html = +"<span " + ("abcdefghijklmnopqrst00".."abcdefghijklmnopqrst99").each do |attr| + html << "#{attr}='1' " + end + ("abcdefghijklmnopqrst00".."abcdefghijklmnopqrst99").each do |attr| + html << "#{attr}='2' " + end + html << ">" + span = Nokogiri::HTML5::DocumentFragment.parse(html, max_attributes: 1000).at_css("span") + + assert_equal(100, span.attributes.length, "duplicate attribute should be silently ignored") + end end if Nokogiri.uses_gumbo?
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-pf9w-gvcf-gv7mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-6490ghsaADVISORY
- github.com/sparklemotion/nokogiri/commit/ada4708e5a67114402cd3feb70a4e1d1d7cf773anvdWEB
- github.com/sparklemotion/nokogiri/issues/3500nvdWEB
- github.com/sparklemotion/nokogiri/pull/3524nvdWEB
- vuldb.comnvdWEB
- vuldb.comnvdWEB
- vuldb.comnvdWEB
News mentions
0No linked articles in our index yet.