Nokogiri
Monthly
Use-after-free in Nokogiri's CRuby XInclude processing (versions prior to 1.19.4) can leave Ruby wrapper objects pointing at freed libxml2 memory after `#do_xinclude` is called on a document whose nodes have already been exposed to Ruby. An application that triggers this condition may experience invalid memory reads or writes, potentially resulting in a crash or memory disclosure. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 2.2 reflects the high attack complexity driven by an unusual, non-default API usage pattern required to reach the vulnerable code path.
Use-after-free in Nokogiri's CRuby implementation (versions prior to 1.19.4) allows an application crash via segfault when an `XML::XPathContext` object outlives its source document and that document is freed by Ruby's garbage collector. Only CRuby is affected; JRuby is not. This is not triggerable by malicious document input and cannot be reached through the standard `Document#xpath`, `#css`, or related methods - it requires an unusual direct API usage pattern in application code. No public exploit has been identified, this is not listed in CISA KEV, and the CVSS 4.0 score of 1.7 reflects the tightly constrained triggering conditions.
Heap use-after-free in Nokogiri's CRuby implementation (prior to 1.19.4) can corrupt process memory when application code assigns a DTD node as a document root via `Document#root=`. The root cause is insufficient type validation in the setter, which accepted any `Nokogiri::XML::Node` subclass rather than restricting to element nodes, leaving libxml2 in an inconsistent internal state that triggers a dangling pointer dereference during Ruby garbage collection or finalization. No active exploitation is confirmed (not in CISA KEV), no public exploit is identified, and the Nokogiri maintainers rate this low severity; the CVSS 4.0 score of 1.7 with E:U corroborates that assessment.
Use-after-free in Nokogiri's CRuby native extension (versions prior to 1.19.4) can corrupt process memory or cause a segfault when an application accesses an XML attribute's child node and subsequently replaces that attribute's value via `Attr#value=` or `#content=`. The underlying libxml2 wrapper frees the native child node while a Ruby object in the document node cache retains a stale pointer, which a later GC mark pass or direct access can dereference. With a CVSS 4.0 score of 1.7, no KEV listing, and no public exploit identified at time of analysis, real-world risk is low and constrained to application availability.
Null pointer dereference in Nokogiri prior to 1.19.4 crashes the Ruby process when application code incorrectly calls `.allocate` directly on a native-backed class inheriting from `Nokogiri::XML::Node` and then invokes methods on the resulting uninitialized object. Only CRuby is affected - JRuby is explicitly not vulnerable. No public exploit has been identified; the CVSS 4.0 base score of 1.7 with E:U accurately reflects that this defect requires a developer programming error rather than any crafted external input, placing it firmly in the low-priority category.
Out-of-bounds read in Nokogiri's `NodeSet#[]` method (all versions before 1.19.4) enables an attacker who can supply a large negative integer index to bypass a 32-bit-truncated bounds check and trigger a read outside the node set's allocated memory. On CRuby (MRI Ruby), this typically crashes the process - denial of service - with ancillary potential for heap memory disclosure; on JRuby, the runtime's managed memory prevents memory corruption, but an incorrect node is silently returned. No public exploit or active exploitation has been identified; exploitation requires the target application to forward attacker-controlled integers directly to the `NodeSet#[]` or `#slice` API.
NONET network restriction bypass in Nokogiri's JRuby implementation permits external resource fetching during XML Schema parsing despite the default network-blocking parse option being set, exposing applications to potential SSRF and XXE attacks. Only JRuby-based deployments are affected - CRuby users are fully protected because libxml2's xmlNoNetExternalEntityLoader enforces NONET at the I/O layer independently of Nokogiri's option handling. Rated low severity by maintainers (CVSS 2.6); vendor-released patch is available in version 1.19.4, and no public exploit has been identified at time of analysis.
Use-after-free in Nokogiri's CRuby (libxml2) implementation allows freed heap memory to be read on subsequent calls to Document#encoding, potentially causing a segmentation fault or leaking stale heap bytes into a Ruby String object. Versions prior to 1.19.4 are affected when the three-step exploitation pattern occurs: an invalid encoding assignment, exception rescue, and continued document use. No public exploit has been identified and this vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 1.7 accurately reflects the low real-world priority.
Nokogiri is an open source XML and HTML library for the Ruby programming language. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Nokogiri is an open source XML and HTML library for Ruby. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Nokogiri is an open source XML and HTML library for Ruby. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.
Use-after-free in Nokogiri's CRuby XInclude processing (versions prior to 1.19.4) can leave Ruby wrapper objects pointing at freed libxml2 memory after `#do_xinclude` is called on a document whose nodes have already been exposed to Ruby. An application that triggers this condition may experience invalid memory reads or writes, potentially resulting in a crash or memory disclosure. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 2.2 reflects the high attack complexity driven by an unusual, non-default API usage pattern required to reach the vulnerable code path.
Use-after-free in Nokogiri's CRuby implementation (versions prior to 1.19.4) allows an application crash via segfault when an `XML::XPathContext` object outlives its source document and that document is freed by Ruby's garbage collector. Only CRuby is affected; JRuby is not. This is not triggerable by malicious document input and cannot be reached through the standard `Document#xpath`, `#css`, or related methods - it requires an unusual direct API usage pattern in application code. No public exploit has been identified, this is not listed in CISA KEV, and the CVSS 4.0 score of 1.7 reflects the tightly constrained triggering conditions.
Heap use-after-free in Nokogiri's CRuby implementation (prior to 1.19.4) can corrupt process memory when application code assigns a DTD node as a document root via `Document#root=`. The root cause is insufficient type validation in the setter, which accepted any `Nokogiri::XML::Node` subclass rather than restricting to element nodes, leaving libxml2 in an inconsistent internal state that triggers a dangling pointer dereference during Ruby garbage collection or finalization. No active exploitation is confirmed (not in CISA KEV), no public exploit is identified, and the Nokogiri maintainers rate this low severity; the CVSS 4.0 score of 1.7 with E:U corroborates that assessment.
Use-after-free in Nokogiri's CRuby native extension (versions prior to 1.19.4) can corrupt process memory or cause a segfault when an application accesses an XML attribute's child node and subsequently replaces that attribute's value via `Attr#value=` or `#content=`. The underlying libxml2 wrapper frees the native child node while a Ruby object in the document node cache retains a stale pointer, which a later GC mark pass or direct access can dereference. With a CVSS 4.0 score of 1.7, no KEV listing, and no public exploit identified at time of analysis, real-world risk is low and constrained to application availability.
Null pointer dereference in Nokogiri prior to 1.19.4 crashes the Ruby process when application code incorrectly calls `.allocate` directly on a native-backed class inheriting from `Nokogiri::XML::Node` and then invokes methods on the resulting uninitialized object. Only CRuby is affected - JRuby is explicitly not vulnerable. No public exploit has been identified; the CVSS 4.0 base score of 1.7 with E:U accurately reflects that this defect requires a developer programming error rather than any crafted external input, placing it firmly in the low-priority category.
Out-of-bounds read in Nokogiri's `NodeSet#[]` method (all versions before 1.19.4) enables an attacker who can supply a large negative integer index to bypass a 32-bit-truncated bounds check and trigger a read outside the node set's allocated memory. On CRuby (MRI Ruby), this typically crashes the process - denial of service - with ancillary potential for heap memory disclosure; on JRuby, the runtime's managed memory prevents memory corruption, but an incorrect node is silently returned. No public exploit or active exploitation has been identified; exploitation requires the target application to forward attacker-controlled integers directly to the `NodeSet#[]` or `#slice` API.
NONET network restriction bypass in Nokogiri's JRuby implementation permits external resource fetching during XML Schema parsing despite the default network-blocking parse option being set, exposing applications to potential SSRF and XXE attacks. Only JRuby-based deployments are affected - CRuby users are fully protected because libxml2's xmlNoNetExternalEntityLoader enforces NONET at the I/O layer independently of Nokogiri's option handling. Rated low severity by maintainers (CVSS 2.6); vendor-released patch is available in version 1.19.4, and no public exploit has been identified at time of analysis.
Use-after-free in Nokogiri's CRuby (libxml2) implementation allows freed heap memory to be read on subsequent calls to Document#encoding, potentially causing a segmentation fault or leaking stale heap bytes into a Ruby String object. Versions prior to 1.19.4 are affected when the three-step exploitation pattern occurs: an invalid encoding assignment, exception rescue, and continued document use. No public exploit has been identified and this vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 1.7 accurately reflects the low real-world priority.
Nokogiri is an open source XML and HTML library for the Ruby programming language. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Nokogiri is an open source XML and HTML library for Ruby. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Nokogiri is an open source XML and HTML library for Ruby. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.