Ruby/nokogiri/1.15.7

Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2, libgumbo, or xerces.

Repo Link: https://rubygems.org/gems/nokogiri
License: MIT

5 Security Vulnerabilities

Duplicate Advisory: Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171

Published date: 2025-02-19T22:17:19Z

Links:

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-vvfq-8hwr-qm4m. This link is maintained to preserve external references.

Original Description

Summary

Nokogiri v1.18.3 upgrades its dependency libxml2 to v2.13.6.

libxml2 v2.13.6 addresses:

CVE-2025-24928
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847
CVE-2024-56171
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828

Impact

CVE-2025-24928

Stack-buffer overflow is possible when reporting DTD validation errors if the input contains a long (~3kb) QName prefix.

CVE-2024-56171

Use-after-free is possible during validation against untrusted XML Schemas (.xsd) and, potentially, validation of untrusted documents against trusted Schemas if they make use of xsd:keyref in combination with recursively defined types that have additional identity constraints.

Affected versions: ["1.11.0.rc3", "1.11.0.rc2", "1.11.0.rc1", "1.10.10", "1.10.9", "1.10.8", "1.10.7", "1.10.6", "1.10.5", "1.10.4", "1.10.3", "1.10.2", "1.10.1", "1.10.0", "1.10.0.rc1", "1.9.1", "1.9.0", "1.9.0.rc1", "1.8.5", "1.8.4", "1.8.3", "1.8.2", "1.8.1", "1.8.0", "1.7.2", "1.7.1", "1.7.0.1", "1.7.0", "1.6.8.1", "1.6.8", "1.6.8.rc3", "1.6.8.rc2", "1.6.8.rc1", "1.6.7.2", "1.6.7.1", "1.6.7", "1.6.7.rc4", "1.6.7.rc3", "1.6.7.rc2", "1.6.6.4", "1.6.6.3", "1.6.6.2", "1.6.6.1", "1.6.5", "1.6.4.1", "1.6.4", "1.6.3.1", "1.6.3", "1.6.3.rc3", "1.6.3.rc2", "1.6.3.rc1", "1.6.2.1", "1.6.2", "1.6.2.rc3", "1.6.2.rc2", "1.6.2.rc1", "1.6.1", "1.6.0", "1.6.0.rc1", "1.5.11", "1.5.10", "1.5.9", "1.5.8", "1.5.7", "1.5.7.rc3", "1.5.7.rc2", "1.5.7.rc1", "1.5.6", "1.5.6.rc3", "1.5.6.rc2", "1.5.6.rc1", "1.5.5", "1.5.5.rc3", "1.5.5.rc2", "1.5.5.rc1", "1.5.4", "1.5.4.rc3", "1.5.4.rc2", "1.5.4.rc1", "1.5.3", "1.5.3.rc6", "1.5.3.rc5", "1.5.3.rc4", "1.5.3.rc3", "1.5.3.rc2", "1.5.2", "1.5.1", "1.5.1.rc1", "1.5.0", "1.5.0.beta.4", "1.5.0.beta.3", "1.5.0.beta.2", "1.5.0.beta.1", "1.4.7", "1.4.6", "1.4.5", "1.4.4.2", "1.4.4.1", "1.4.4", "1.4.3.1", "1.4.3", "1.4.2.1", "1.4.2", "1.4.1", "1.4.0", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.3", "1.2.2", "1.2.1", "1.2.0", "1.1.1", "1.1.0", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "1.11.0.rc4", "1.11.0", "1.11.1", "1.11.2", "1.11.3", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.12.0.rc1", "1.12.0", "1.12.1", "1.12.2", "1.12.3", "1.12.4", "1.12.5", "1.13.0", "1.13.1", "1.13.2", "1.13.3", "1.13.4", "1.13.5", "1.13.6", "1.13.7", "1.13.8", "1.13.9", "1.13.10", "1.14.0.rc1", "1.14.0", "1.14.1", "1.14.2", "1.14.3", "1.14.4", "1.15.0", "1.15.1", "1.15.2", "1.14.5", "1.15.3", "1.15.4", "1.15.5", "1.16.0.rc1", "1.16.0", "1.16.1", "1.16.2", "1.16.3", "1.15.6", "1.16.4", "1.16.5", "1.16.6", "1.16.7", "1.16.8", "1.15.7", "1.17.0", "1.17.1", "1.17.2", "1.18.0.rc1", "1.18.0", "1.18.1", "1.18.2"]

Secure versions: [1.18.4, 1.18.5, 1.18.6, 1.18.7]

Recommendation: Update to version 1.18.7.

Duplicate Advisory: Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459

Published date: 2024-05-14T22:30:45Z

Links:

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-r95h-9x8f-r3f7. This link is maintained to preserve external references.

Original Description

Summary

Nokogiri v1.16.5 upgrades its dependency libxml2 to 2.12.7 from 2.12.6.

libxml2 v2.12.7 addresses CVE-2024-34459:

described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/720
patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac53

Impact

There is no impact to Nokogiri users because the issue is present only in libxml2's xmllint tool which Nokogiri does not provide or expose.

Timeline

2024-05-13 05:57 EDT, libxml2 2.12.7 release is announced
2024-05-13 08:30 EDT, nokogiri maintainers begin triage
2024-05-13 10:05 EDT, nokogiri v1.16.5 is released and this GHSA made public

Secure versions: [1.18.4, 1.18.5, 1.18.6, 1.18.7]

Recommendation: Update to version 1.18.7.

Nokogiri updates packaged libxslt to v1.1.43 to resolve multiple CVEs

Published date: 2025-03-14

CVSS V3: 7.8

Links:

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-mrxw-mxhj-p664

Summary

Nokogiri v1.18.4 upgrades its dependency libxslt to v1.1.43.

libxslt v1.1.43 resolves:

CVE-2025-24855: Fix use-after-free of XPath context node
CVE-2024-55549: Fix UAF related to excluded namespaces

Impact

CVE-2025-24855

Use-after-free due to xsltEvalXPathStringNs leaking xpathCtxt->node
MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H
Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/128
NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2025-24855

CVE-2024-55549

Use-after-free related to excluded result prefixes
MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H
Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/127
NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2024-55549

Secure versions: [1.18.4, 1.18.5, 1.18.6, 1.18.7]

Recommendation: Update to version 1.18.7.

Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459

Published date: 2024-05-13

Links:

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-r95h-9x8f-r3f7

Summary

Nokogiri v1.16.5 upgrades its dependency libxml2 to 2.12.7 from 2.12.6.

libxml2 v2.12.7 addresses CVE-2024-34459:

described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/720
patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac53

Impact

There is no impact to Nokogiri users because the issue is present only in libxml2's xmllint tool which Nokogiri does not provide or expose.

Timeline

2024-05-13 05:57 EDT, libxml2 2.12.7 release is announced
2024-05-13 08:30 EDT, nokogiri maintainers begin triage
2024-05-13 10:05 EDT, nokogiri v1.16.5 is released and this GHSA made public

Secure versions: [1.18.4, 1.18.5, 1.18.6, 1.18.7]

Recommendation: Update to version 1.18.7.

Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171

Published date: 2025-02-18

Links:

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vvfq-8hwr-qm4m

Summary

Nokogiri v1.18.3 upgrades its dependency libxml2 to v2.13.6.

libxml2 v2.13.6 addresses:

CVE-2025-24928
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847
CVE-2024-56171
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828

Impact

CVE-2025-24928

Stack-buffer overflow is possible when reporting DTD validation errors if the input contains a long (~3kb) QName prefix.

CVE-2024-56171

Secure versions: [1.18.4, 1.18.5, 1.18.6, 1.18.7]

Recommendation: Update to version 1.18.7.

187 Other Versions

Version	License	Security	Released
1.18.7	MIT		2025-03-31 - 17:48	4 days
1.18.6	MIT		2025-03-24 - 19:36	11 days
1.18.5	MIT		2025-03-19 - 14:43	16 days
1.18.4	MIT		2025-03-14 - 15:42	21 days
1.18.3	MIT	1	2025-02-18 - 22:20	about 1 month
1.18.2	MIT	3	2025-01-19 - 20:31	2 months
1.18.1	MIT	3	2024-12-29 - 22:30	3 months
1.18.0	MIT	3	2024-12-25 - 16:23	3 months
1.18.0.rc1	MIT	3	2024-12-16 - 17:48	4 months
1.17.2	MIT	3	2024-12-12 - 21:22	4 months
1.17.1	MIT	3	2024-12-10 - 14:36	4 months
1.17.0	MIT	3	2024-12-08 - 20:39	4 months
1.16.8	MIT	3	2024-12-02 - 20:17	4 months
1.16.7	MIT	3	2024-07-27 - 19:52	8 months
1.16.6	MIT	3	2024-06-13 - 13:46	10 months
1.16.5	MIT	3	2024-05-13 - 14:01	11 months
1.16.4	MIT	5	2024-04-10 - 18:17	12 months
1.16.3	MIT	5	2024-03-15 - 21:21	about 1 year
1.16.2	MIT	5	2024-02-04 - 16:52	about 1 year
1.16.1	MIT	7	2024-02-03 - 16:27	about 1 year
1.16.0	MIT	7	2023-12-28 - 00:08	over 1 year
1.16.0.rc1	MIT	6	2023-12-13 - 22:00	over 1 year
1.15.7	MIT	5	2024-12-02 - 20:32	4 months
1.15.6	MIT	5	2024-03-16 - 13:14	about 1 year
1.15.5	MIT	6	2023-11-17 - 16:13	over 1 year
1.15.4	MIT	6	2023-08-11 - 19:25	over 1 year
1.15.3	MIT	6	2023-07-05 - 14:34	over 1 year
1.15.2	MIT	6	2023-05-24 - 13:31	almost 2 years
1.15.1	MIT	6	2023-05-19 - 14:06	almost 2 years
1.15.0	MIT	6	2023-05-15 - 19:57	almost 2 years
1.14.5	MIT	7	2023-05-24 - 13:04	almost 2 years
1.14.4	MIT	7	2023-05-11 - 18:12	almost 2 years
1.14.3	MIT	7	2023-04-11 - 17:00	almost 2 years
1.14.2	MIT	8	2023-02-13 - 17:41	about 2 years
1.14.1	MIT	8	2023-01-30 - 19:40	about 2 years
1.14.0	MIT	8	2023-01-12 - 21:52	about 2 years
1.14.0.rc1	MIT	8	2022-12-29 - 15:47	over 2 years
1.13.10	MIT	8	2022-12-08 - 02:47	over 2 years
1.13.9	MIT	10	2022-10-18 - 15:48	over 2 years
1.13.8	MIT	11	2022-07-23 - 15:50	over 2 years
1.13.7	MIT	9	2022-07-12 - 14:56	over 2 years
1.13.6	MIT	9	2022-05-08 - 14:34	almost 3 years
1.13.5	MIT	11	2022-05-04 - 20:41	almost 3 years
1.13.4	MIT	12	2022-04-11 - 20:44	almost 3 years
1.13.3	MIT	21	2022-02-22 - 04:52	about 3 years
1.13.2	MIT	21	2022-02-21 - 18:52	about 3 years
1.13.1	MIT	24	2022-01-13 - 16:04	about 3 years
1.13.0	MIT	24	2022-01-06 - 20:53	about 3 years
1.12.5	MIT	24	2021-09-27 - 19:03	over 3 years
1.12.4	MIT	26	2021-08-29 - 21:18	over 3 years
1.12.3	MIT	26	2021-08-10 - 19:32	over 3 years
1.12.2	MIT	26	2021-08-04 - 15:03	over 3 years
1.12.1	MIT	26	2021-08-03 - 15:11	over 3 years
1.12.0	MIT	26	2021-08-02 - 17:34	over 3 years
1.12.0.rc1	MIT	26	2021-07-09 - 20:00	over 3 years
1.11.7	MIT	26	2021-06-03 - 00:31	almost 4 years
1.11.6	MIT	26	2021-05-26 - 13:16	almost 4 years
1.11.5	MIT	26	2021-05-20 - 03:08	almost 4 years
1.11.4	MIT	26	2021-05-14 - 23:30	almost 4 years
1.11.3	MIT	33	2021-04-07 - 20:33	almost 4 years
1.11.2	MIT	33	2021-03-11 - 15:56	about 4 years
1.11.1	MIT	33	2021-01-06 - 05:30	about 4 years
1.11.0	MIT	33	2021-01-04 - 04:20	about 4 years
1.11.0.rc4	MIT	33	2020-12-29 - 16:44	over 4 years
1.11.0.rc3	MIT	34	2020-09-08 - 13:26	over 4 years
1.11.0.rc2	MIT	34	2020-04-01 - 19:18	about 5 years
1.11.0.rc1	MIT	34	2020-02-03 - 13:54	about 5 years
1.10.10	MIT	35	2020-07-06 - 13:40	over 4 years
1.10.9	MIT	35	2020-03-01 - 19:05	about 5 years
1.10.8	MIT	35	2020-02-10 - 19:44	about 5 years
1.10.7	MIT	37	2019-12-04 - 15:29	over 5 years
1.10.6	MIT	37	2019-12-04 - 00:44	over 5 years
1.10.5	MIT	37	2019-10-31 - 19:29	over 5 years
1.10.4	MIT	45	2019-08-11 - 19:25	over 5 years
1.10.3	MIT	47	2019-04-22 - 17:10	almost 6 years
1.10.2	MIT	49	2019-03-25 - 13:03	about 6 years
1.10.1	MIT	49	2019-01-13 - 06:30	about 6 years
1.10.0	MIT	49	2019-01-04 - 15:35	about 6 years
1.10.0.rc1	MIT	49	2019-01-03 - 15:05	about 6 years
1.9.1	MIT	49	2018-12-18 - 05:22	over 6 years
1.9.0	MIT	49	2018-12-17 - 15:21	over 6 years
1.9.0.rc1	MIT	49	2018-12-10 - 06:10	over 6 years
1.8.5	MIT	49	2018-10-05 - 01:14	over 6 years
1.8.4	MIT	51	2018-07-04 - 00:37	almost 7 years
1.8.3	MIT	51	2018-06-16 - 20:04	almost 7 years
1.8.2	MIT	53	2018-01-29 - 13:16	about 7 years
1.8.1	MIT	57	2017-09-19 - 16:12	over 7 years
1.8.0	MIT	61	2017-06-05 - 04:04	almost 8 years
1.7.2	MIT	61	2017-05-09 - 21:29	almost 8 years
1.7.1	MIT	63	2017-03-20 - 03:39	about 8 years
1.7.0.1	MIT	65	2017-01-04 - 05:42	about 8 years
1.7.0	MIT	65	2016-12-27 - 03:49	over 8 years
1.6.8.1	MIT	65	2016-10-03 - 04:46	over 8 years
1.6.8	MIT	65	2016-06-07 - 00:04	almost 9 years
1.6.8.rc3	MIT	67	2016-02-17 - 06:33	about 9 years
1.6.8.rc2	MIT	67	2016-01-12 - 17:08	about 9 years
1.6.8.rc1	MIT	67	2015-12-17 - 07:28	over 9 years
1.6.7.2	MIT	67	2016-01-20 - 19:18	about 9 years
1.6.7.1	MIT	69	2015-12-17 - 05:08	over 9 years
1.6.7	MIT	71	2015-11-30 - 04:21	over 9 years