nokogiri (RubyGems) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the RubyGems package nokogiri, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (32)
CVE-2016-4658 — CVSS 9.8 (critical): xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3, and other…
CVE-2019-5477 — CVSS 9.8 (critical): A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open`…
CVE-2019-11068 — CVSS 9.8 (critical): libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon…
CVE-2021-30560 — CVSS 8.8 (high): Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a…
CVE-2017-5029 — CVSS 8.8 (high): The xsltAddTextString function in transform.c in libxslt 1.1.29, as used in Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows…
CVE-2017-15412 — CVSS 8.8 (high): Use after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to…
CVE-2021-3518 — CVSS 8.8 (high): There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application…
CVE-2021-3517 — CVSS 8.6 (high): There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted…
CVE-2022-29181 — CVSS 8.2 (high): Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and…
CVE-2015-8806 — CVSS 7.5 (high): dict.c in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via an…
CVE-2017-9050 — CVSS 7.5 (high): libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This…
CVE-2018-25032 — CVSS 7.5 (high): zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
CVE-2019-18197 — CVSS 7.5 (high): In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area…
CVE-2019-5815 — CVSS 7.5 (high): Type confusion in xsltNumberFormatGetMultipleLevel prior to libxslt 1.1.33 could allow attackers to potentially exploit heap corruption via…
CVE-2020-7595 — CVSS 7.5 (high): xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.
CVE-2021-41098 — CVSS 7.5 (high): Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on…
CVE-2022-23476 — CVSS 7.5 (high): Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and `1.13.9` fail to check the return…
CVE-2022-24836 — CVSS 7.5 (high): Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is…
CVE-2015-5312 — CVSS 7.1 (high): The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 does not properly prevent entity expansion, which allows…
CVE-2017-18258 — CVSS 6.5 (medium): The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a…
CVE-2018-14404 — CVSS 6.5 (medium): A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an…
CVE-2018-8048 — CVSS 6.1 (medium): In the Loofah gem through 2.2.0 for Ruby, non-whitelisted HTML attributes may occur in sanitized output by republishing a crafted HTML…
CVE-2021-3537 — CVSS 5.9 (medium): A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing…
CVE-2019-13117 — CVSS 5.3 (medium): In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumber…
CVE-2019-13118 — CVSS 5.3 (medium): In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid…
CVE-2015-7499 — CVSS 5.0 (medium): Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain…
CVE-2015-1819 — CVSS 5.0 (medium): The xmlreader in libxml allows remote attackers to cause a denial of service (memory consumption) via crafted XML data, related to an XML…
CVE-2020-26247 — CVSS 2.6 (low): Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version…