Ruby/nokogiri/1.18.2

Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2, libgumbo, or xerces.

Repo Link: https://rubygems.org/gems/nokogiri
License: MIT

3 Security Vulnerabilities

Duplicate Advisory: Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171

Published date: 2025-02-19T22:17:19Z

Links:

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-vvfq-8hwr-qm4m. This link is maintained to preserve external references.

Original Description

Summary

Nokogiri v1.18.3 upgrades its dependency libxml2 to v2.13.6.

libxml2 v2.13.6 addresses:

CVE-2025-24928
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847
CVE-2024-56171
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828

Impact

CVE-2025-24928

Stack-buffer overflow is possible when reporting DTD validation errors if the input contains a long (~3kb) QName prefix.

CVE-2024-56171

Use-after-free is possible during validation against untrusted XML Schemas (.xsd) and, potentially, validation of untrusted documents against trusted Schemas if they make use of xsd:keyref in combination with recursively defined types that have additional identity constraints.

Affected versions: ["1.11.0.rc3", "1.11.0.rc2", "1.11.0.rc1", "1.10.10", "1.10.9", "1.10.8", "1.10.7", "1.10.6", "1.10.5", "1.10.4", "1.10.3", "1.10.2", "1.10.1", "1.10.0", "1.10.0.rc1", "1.9.1", "1.9.0", "1.9.0.rc1", "1.8.5", "1.8.4", "1.8.3", "1.8.2", "1.8.1", "1.8.0", "1.7.2", "1.7.1", "1.7.0.1", "1.7.0", "1.6.8.1", "1.6.8", "1.6.8.rc3", "1.6.8.rc2", "1.6.8.rc1", "1.6.7.2", "1.6.7.1", "1.6.7", "1.6.7.rc4", "1.6.7.rc3", "1.6.7.rc2", "1.6.6.4", "1.6.6.3", "1.6.6.2", "1.6.6.1", "1.6.5", "1.6.4.1", "1.6.4", "1.6.3.1", "1.6.3", "1.6.3.rc3", "1.6.3.rc2", "1.6.3.rc1", "1.6.2.1", "1.6.2", "1.6.2.rc3", "1.6.2.rc2", "1.6.2.rc1", "1.6.1", "1.6.0", "1.6.0.rc1", "1.5.11", "1.5.10", "1.5.9", "1.5.8", "1.5.7", "1.5.7.rc3", "1.5.7.rc2", "1.5.7.rc1", "1.5.6", "1.5.6.rc3", "1.5.6.rc2", "1.5.6.rc1", "1.5.5", "1.5.5.rc3", "1.5.5.rc2", "1.5.5.rc1", "1.5.4", "1.5.4.rc3", "1.5.4.rc2", "1.5.4.rc1", "1.5.3", "1.5.3.rc6", "1.5.3.rc5", "1.5.3.rc4", "1.5.3.rc3", "1.5.3.rc2", "1.5.2", "1.5.1", "1.5.1.rc1", "1.5.0", "1.5.0.beta.4", "1.5.0.beta.3", "1.5.0.beta.2", "1.5.0.beta.1", "1.4.7", "1.4.6", "1.4.5", "1.4.4.2", "1.4.4.1", "1.4.4", "1.4.3.1", "1.4.3", "1.4.2.1", "1.4.2", "1.4.1", "1.4.0", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.3", "1.2.2", "1.2.1", "1.2.0", "1.1.1", "1.1.0", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "1.11.0.rc4", "1.11.0", "1.11.1", "1.11.2", "1.11.3", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.12.0.rc1", "1.12.0", "1.12.1", "1.12.2", "1.12.3", "1.12.4", "1.12.5", "1.13.0", "1.13.1", "1.13.2", "1.13.3", "1.13.4", "1.13.5", "1.13.6", "1.13.7", "1.13.8", "1.13.9", "1.13.10", "1.14.0.rc1", "1.14.0", "1.14.1", "1.14.2", "1.14.3", "1.14.4", "1.15.0", "1.15.1", "1.15.2", "1.14.5", "1.15.3", "1.15.4", "1.15.5", "1.16.0.rc1", "1.16.0", "1.16.1", "1.16.2", "1.16.3", "1.15.6", "1.16.4", "1.16.5", "1.16.6", "1.16.7", "1.16.8", "1.15.7", "1.17.0", "1.17.1", "1.17.2", "1.18.0.rc1", "1.18.0", "1.18.1", "1.18.2"]

Secure versions: [1.18.4, 1.18.5, 1.18.6, 1.18.7]

Recommendation: Update to version 1.18.7.

Nokogiri updates packaged libxslt to v1.1.43 to resolve multiple CVEs

Published date: 2025-03-14

CVSS V3: 7.8

Links:

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-mrxw-mxhj-p664

Summary

Nokogiri v1.18.4 upgrades its dependency libxslt to v1.1.43.

libxslt v1.1.43 resolves:

CVE-2025-24855: Fix use-after-free of XPath context node
CVE-2024-55549: Fix UAF related to excluded namespaces

Impact

CVE-2025-24855

Use-after-free due to xsltEvalXPathStringNs leaking xpathCtxt->node
MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H
Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/128
NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2025-24855

CVE-2024-55549

Use-after-free related to excluded result prefixes
MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H
Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/127
NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2024-55549

Secure versions: [1.18.4, 1.18.5, 1.18.6, 1.18.7]

Recommendation: Update to version 1.18.7.

Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171

Published date: 2025-02-18

Links:

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vvfq-8hwr-qm4m

Summary

Nokogiri v1.18.3 upgrades its dependency libxml2 to v2.13.6.

libxml2 v2.13.6 addresses:

CVE-2025-24928
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847
CVE-2024-56171
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828

Impact

CVE-2025-24928

Stack-buffer overflow is possible when reporting DTD validation errors if the input contains a long (~3kb) QName prefix.

CVE-2024-56171

Secure versions: [1.18.4, 1.18.5, 1.18.6, 1.18.7]

Recommendation: Update to version 1.18.7.

187 Other Versions

Version	License	Security	Released
1.6.7.rc4	MIT	71	2015-11-22 - 22:56	over 9 years
1.6.7.rc3	MIT	72	2015-09-04 - 17:34	over 9 years
1.6.7.rc2	MIT	72	2015-08-31 - 13:51	over 9 years
1.6.6.4	MIT	71	2015-11-19 - 20:58	over 9 years
1.6.6.3	MIT	72	2015-11-17 - 00:02	over 9 years
1.6.6.2	MIT	72	2015-01-23 - 18:53	about 10 years
1.6.6.1	MIT	72	2015-01-22 - 18:42	about 10 years
1.6.5	MIT	72	2014-11-26 - 21:07	over 10 years
1.6.4.1	MIT	72	2014-11-07 - 03:03	over 10 years
1.6.4	MIT	72	2014-11-05 - 04:32	over 10 years
1.6.3.1	MIT	72	2014-07-22 - 01:35	over 10 years
1.6.3	MIT	72	2014-07-20 - 18:57	over 10 years
1.6.3.rc3	MIT	73	2014-06-21 - 20:31	almost 11 years
1.6.3.rc2	MIT	73	2014-06-17 - 17:04	almost 11 years
1.6.3.rc1	MIT	73	2014-05-22 - 19:23	almost 11 years
1.6.2.1	MIT	72	2014-05-14 - 01:21	almost 11 years
1.6.2	MIT	73	2014-05-12 - 22:31	almost 11 years
1.6.2.rc3	MIT	72	2014-05-09 - 22:00	almost 11 years
1.6.2.rc2	MIT	72	2014-04-10 - 17:15	about 11 years
1.6.2.rc1	MIT	72	2014-04-06 - 20:37	about 11 years
1.6.1	MIT	73	2013-12-15 - 01:54	over 11 years
1.6.0	UNKNOWN	77	2013-06-10 - 14:38	almost 12 years
1.6.0.rc1	UNKNOWN	69	2013-04-23 - 17:32	almost 12 years
1.5.11	MIT	67	2013-12-15 - 01:53	over 11 years
1.5.10	UNKNOWN	69	2013-06-07 - 21:16	almost 12 years
1.5.9	UNKNOWN	69	2013-03-21 - 13:35	about 12 years
1.5.8	UNKNOWN	69	2013-03-19 - 19:56	about 12 years
1.5.7	UNKNOWN	69	2013-03-18 - 20:10	about 12 years
1.5.7.rc3	UNKNOWN	69	2013-03-14 - 12:50	about 12 years
1.5.7.rc2	UNKNOWN	69	2013-03-11 - 09:46	about 12 years
1.5.7.rc1	UNKNOWN	69	2013-02-22 - 18:36	about 12 years
1.5.6	UNKNOWN	69	2012-12-19 - 16:41	over 12 years
1.5.6.rc3	UNKNOWN	69	2012-11-27 - 00:36	over 12 years
1.5.6.rc2	UNKNOWN	69	2012-09-12 - 15:53	over 12 years
1.5.6.rc1	UNKNOWN	69	2012-07-11 - 18:06	almost 13 years
1.5.5	UNKNOWN	69	2012-06-23 - 16:21	almost 13 years
1.5.5.rc3	UNKNOWN	69	2012-06-22 - 15:22	almost 13 years
1.5.5.rc2	UNKNOWN	69	2012-06-14 - 16:35	almost 13 years
1.5.5.rc1	UNKNOWN	69	2012-06-12 - 14:04	almost 13 years
1.5.4	UNKNOWN	69	2012-06-11 - 15:09	almost 13 years
1.5.4.rc3	UNKNOWN	71	2012-06-08 - 18:58	almost 13 years
1.5.4.rc2	UNKNOWN	71	2012-06-08 - 15:26	almost 13 years
1.5.4.rc1	UNKNOWN	71	2012-06-07 - 20:34	almost 13 years
1.5.3	UNKNOWN	71	2012-06-01 - 13:53	almost 13 years
1.5.3.rc6	UNKNOWN	71	2012-05-30 - 15:25	almost 13 years
1.5.3.rc5	UNKNOWN	71	2012-04-27 - 14:55	almost 13 years
1.5.3.rc4	UNKNOWN	71	2012-04-27 - 04:11	almost 13 years
1.5.3.rc3	UNKNOWN	71	2012-03-26 - 22:07	about 13 years
1.5.3.rc2	UNKNOWN	71	2012-03-22 - 15:29	about 13 years
1.5.2	UNKNOWN	71	2012-03-09 - 21:00	about 13 years
1.5.1	UNKNOWN	71	2012-03-09 - 05:59	about 13 years
1.5.1.rc1	UNKNOWN	71	2012-03-04 - 02:01	about 13 years
1.5.0	UNKNOWN	71	2011-07-01 - 07:26	almost 14 years
1.5.0.beta.1	UNKNOWN	69	2010-06-08 - 13:32	almost 15 years
1.5.0.beta.4	UNKNOWN	69	2011-01-27 - 22:59	about 14 years
1.5.0.beta.3	UNKNOWN	69	2010-12-02 - 20:10	over 14 years
1.5.0.beta.2	UNKNOWN	69	2010-07-30 - 15:53	over 14 years
1.4.7	UNKNOWN	71	2011-07-01 - 05:22	almost 14 years
1.4.6	UNKNOWN	71	2011-06-20 - 02:53	almost 14 years
1.4.5	UNKNOWN	71	2011-06-16 - 11:21	almost 14 years
1.4.4.2	UNKNOWN	71	2010-12-01 - 19:35	over 14 years
1.4.4.1	UNKNOWN	71	2010-11-17 - 13:50	over 14 years
1.4.4	UNKNOWN	71	2010-11-16 - 06:28	over 14 years
1.4.3.1	UNKNOWN	71	2010-07-29 - 15:47	over 14 years
1.4.3	UNKNOWN	71	2010-07-29 - 14:59	over 14 years
1.4.2.1	UNKNOWN	71	2010-06-02 - 21:16	almost 15 years
1.4.2	UNKNOWN	71	2010-05-22 - 15:35	almost 15 years
1.4.1	UNKNOWN	71	2009-12-11 - 05:14	over 15 years
1.4.0	UNKNOWN	71	2009-10-31 - 07:00	over 15 years
1.3.3	UNKNOWN	71	2009-09-25 - 09:04	over 15 years
1.3.2	UNKNOWN	71	2009-09-25 - 09:04	over 15 years
1.3.1	UNKNOWN	71	2009-07-25 - 18:05	over 15 years
1.3.0	UNKNOWN	71	2009-09-25 - 09:04	over 15 years
1.2.3	UNKNOWN	71	2009-07-25 - 18:05	over 15 years
1.2.2	UNKNOWN	71	2009-07-25 - 18:05	over 15 years
1.2.1	UNKNOWN	71	2009-07-25 - 18:05	over 15 years
1.2.0	UNKNOWN	71	2009-07-25 - 18:05	over 15 years
1.1.1	UNKNOWN	71	2009-07-25 - 18:05	over 15 years
1.1.0	UNKNOWN	71	2009-07-25 - 18:05	over 15 years
1.0.7	UNKNOWN	71	2009-07-25 - 18:05	over 15 years
1.0.6	UNKNOWN	71	2009-07-25 - 18:05	over 15 years
1.0.5	UNKNOWN	71	2009-07-25 - 18:05	over 15 years
1.0.4	UNKNOWN	71	2009-07-25 - 18:05	over 15 years
1.0.3	UNKNOWN	71	2009-07-25 - 18:05	over 15 years
1.0.2	UNKNOWN	71	2009-07-25 - 18:05	over 15 years
1.0.1	UNKNOWN	71	2009-07-25 - 18:05	over 15 years
1.0.0	UNKNOWN	71	2009-07-25 - 18:05	over 15 years