Nokogiri
By the Year
In 2024 there have been 0 vulnerabilities in Nokogiri . Nokogiri did not have any published security vulnerabilities last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2024 | 0 | 0.00 |
2023 | 0 | 0.00 |
2022 | 3 | 7.73 |
2021 | 1 | 7.50 |
2020 | 2 | 5.90 |
2019 | 3 | 7.60 |
2018 | 0 | 0.00 |
It may take a day or so for new Nokogiri vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Nokogiri Security Vulnerabilities
Nokogiri is an open source XML and HTML library for the Ruby programming language
CVE-2022-23476
7.5 - High
- December 08, 2022
Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and `1.13.9` fail to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri `>= 1.13.10`. Users may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected.
NULL Pointer Dereference
Nokogiri is an open source XML and HTML library for Ruby
CVE-2022-29181
8.2 - High
- May 20, 2022
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a `String` by calling `#to_s` or equivalent.
Improper Handling of Unexpected Data Type
Nokogiri is an open source XML and HTML library for Ruby
CVE-2022-24836
7.5 - High
- April 11, 2022
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for this issue.
ReDoS
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support
CVE-2021-41098
7.5 - High
- September 27, 2021
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri v1.12.5 or later to receive a patch for this issue. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected.
XXE
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support
CVE-2020-26247
4.3 - Medium
- December 30, 2020
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.
XXE
Nokogiri before 1.5.4 is vulnerable to XXE attacks
CVE-2012-6685
7.5 - High
- February 19, 2020
Nokogiri before 1.5.4 is vulnerable to XXE attacks
XEE
Nokogiri gem 1.5.x and 1.6.x has DoS while parsing XML entities by failing to apply limits
CVE-2013-6461
6.5 - Medium
- November 05, 2019
Nokogiri gem 1.5.x and 1.6.x has DoS while parsing XML entities by failing to apply limits
XEE
Nokogiri gem 1.5.x has Denial of Service
CVE-2013-6460
6.5 - Medium
- November 05, 2019
Nokogiri gem 1.5.x has Denial of Service via infinite loop when parsing XML documents
XEE
A command injection vulnerability in Nokogiri v1.10.3 and earlier
CVE-2019-5477
9.8 - Critical
- August 16, 2019
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.
Shell injection