RubyGems package
nokogiri
pkg:gem/nokogiri
Vulnerabilities (34)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-6494 | Low | 3.3 | — | — | Jun 22, 2025 | A vulnerability was found in sparklemotion nokogiri c29c920907366cb74af13b4dc2230e9c9e23b833. It has been classified as problematic. This affects the function hashmap_get_with_hash of the file gumbo-parser/src/hashmap.c. The manipulation leads to heap-based buffer overflow. An at | |
| CVE-2025-6490 | Low | 3.3 | — | — | Jun 22, 2025 | A vulnerability was found in sparklemotion nokogiri c29c920907366cb74af13b4dc2230e9c9e23b833 and classified as problematic. This issue affects the function hashmap_set_with_hash of the file gumbo-parser/src/hashmap.c. The manipulation leads to heap-based buffer overflow. An attac | |
| CVE-2022-23476 | — | >= 1.13.8, < 1.13.10 | 1.13.10 | Dec 8, 2022 | Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and `1.13.9` fail to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid | ||
| CVE-2022-29181 | — | < 1.13.6 | 1.13.6 | May 20, 2022 | Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memor | ||
| CVE-2022-24836 | — | < 1.13.4 | 1.13.4 | Apr 11, 2022 | Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. Ther | ||
| CVE-2018-25032 | — | < 1.13.4 | 1.13.4 | Mar 25, 2022 | zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. | ||
| CVE-2021-41098 | — | < 1.12.5 | 1.12.5 | Sep 27, 2021 | Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of thes | ||
| CVE-2021-30560 | — | < 1.13.2 | 1.13.2 | Aug 3, 2021 | Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | ||
| CVE-2021-3517 | — | < 1.11.4 | 1.11.4 | May 19, 2021 | There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely | ||
| CVE-2021-3518 | — | < 1.11.4 | 1.11.4 | May 18, 2021 | There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability. | ||
| CVE-2021-3537 | — | < 1.11.4 | 1.11.4 | May 14, 2021 | A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the applicat | ||
| CVE-2020-26247 | — | < 1.11.0 | 1.11.0 | Dec 30, 2020 | Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be acces | ||
| CVE-2012-6685 | — | < 1.5.4 | 1.5.4 | Feb 19, 2020 | Nokogiri before 1.5.4 is vulnerable to XXE attacks | ||
| CVE-2020-7595 | — | < 1.10.8 | 1.10.8 | Jan 21, 2020 | xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. | ||
| CVE-2019-5815 | — | < 1.10.5 | 1.10.5 | Dec 11, 2019 | Type confusion in xsltNumberFormatGetMultipleLevel prior to libxslt 1.1.33 could allow attackers to potentially exploit heap corruption via crafted XML data. | ||
| CVE-2013-6461 | — | >= 1.5.0, < 1.5.11 | 1.5.11 | Nov 5, 2019 | Nokogiri gem 1.5.x and 1.6.x has DoS while parsing XML entities by failing to apply limits | ||
| CVE-2013-6460 | — | >= 1.5.0, < 1.5.11 | 1.5.11 | Nov 5, 2019 | Nokogiri gem 1.5.x has Denial of Service via infinite loop when parsing XML documents | ||
| CVE-2019-18197 | — | < 1.10.5 | 1.10.5 | Oct 18, 2019 | In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized | ||
| CVE-2019-5477 | — | < 1.10.4 | 1.10.4 | Aug 16, 2019 | A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input a | ||
| CVE-2019-13118 | — | < 1.10.5 | 1.10.5 | Jul 1, 2019 | In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data. |
A vulnerability was found in sparklemotion nokogiri c29c920907366cb74af13b4dc2230e9c9e23b833. It has been classified as problematic. This affects the function hashmap_get_with_hash of the file gumbo-parser/src/hashmap.c. The manipulation leads to heap-based buffer overflow. An at
A vulnerability was found in sparklemotion nokogiri c29c920907366cb74af13b4dc2230e9c9e23b833 and classified as problematic. This issue affects the function hashmap_set_with_hash of the file gumbo-parser/src/hashmap.c. The manipulation leads to heap-based buffer overflow. An attac
- CVE-2022-23476Dec 8, 2022affected >= 1.13.8, < 1.13.10fixed 1.13.10
Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and `1.13.9` fail to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid
- CVE-2022-29181May 20, 2022affected < 1.13.6fixed 1.13.6
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memor
- CVE-2022-24836Apr 11, 2022affected < 1.13.4fixed 1.13.4
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. Ther
- CVE-2018-25032Mar 25, 2022affected < 1.13.4fixed 1.13.4
zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
- CVE-2021-41098Sep 27, 2021affected < 1.12.5fixed 1.12.5
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of thes
- CVE-2021-30560Aug 3, 2021affected < 1.13.2fixed 1.13.2
Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- CVE-2021-3517May 19, 2021affected < 1.11.4fixed 1.11.4
There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely
- CVE-2021-3518May 18, 2021affected < 1.11.4fixed 1.11.4
There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.
- CVE-2021-3537May 14, 2021affected < 1.11.4fixed 1.11.4
A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the applicat
- CVE-2020-26247Dec 30, 2020affected < 1.11.0fixed 1.11.0
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be acces
- CVE-2012-6685Feb 19, 2020affected < 1.5.4fixed 1.5.4
Nokogiri before 1.5.4 is vulnerable to XXE attacks
- CVE-2020-7595Jan 21, 2020affected < 1.10.8fixed 1.10.8
xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.
- CVE-2019-5815Dec 11, 2019affected < 1.10.5fixed 1.10.5
Type confusion in xsltNumberFormatGetMultipleLevel prior to libxslt 1.1.33 could allow attackers to potentially exploit heap corruption via crafted XML data.
- CVE-2013-6461Nov 5, 2019affected >= 1.5.0, < 1.5.11fixed 1.5.11
Nokogiri gem 1.5.x and 1.6.x has DoS while parsing XML entities by failing to apply limits
- CVE-2013-6460Nov 5, 2019affected >= 1.5.0, < 1.5.11fixed 1.5.11
Nokogiri gem 1.5.x has Denial of Service via infinite loop when parsing XML documents
- CVE-2019-18197Oct 18, 2019affected < 1.10.5fixed 1.10.5
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized
- CVE-2019-5477Aug 16, 2019affected < 1.10.4fixed 1.10.4
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input a
- CVE-2019-13118Jul 1, 2019affected < 1.10.5fixed 1.10.5
In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data.
Page 1 of 2