Ruby/nokogiri/1.15.1

Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2, libgumbo, or xerces.

https://rubygems.org/gems/nokogiri
MIT

7 Security Vulnerabilities

Duplicate Advisory: Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171

Published date: 2025-02-19T22:17:19Z
Links:

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-vvfq-8hwr-qm4m. This link is maintained to preserve external references.

Original Description

Summary

Nokogiri v1.18.3 upgrades its dependency libxml2 to v2.13.6.

libxml2 v2.13.6 addresses:

Impact

CVE-2025-24928

Stack-buffer overflow is possible when reporting DTD validation errors if the input contains a long (~3kb) QName prefix.

CVE-2024-56171

Use-after-free is possible during validation against untrusted XML Schemas (.xsd) and, potentially, validation of untrusted documents against trusted Schemas if they make use of xsd:keyref in combination with recursively defined types that have additional identity constraints.

Affected versions: ["1.11.0.rc2", "1.11.0.rc1", "1.10.10", "1.10.9", "1.10.8", "1.10.7", "1.10.6", "1.10.5", "1.10.3", "1.10.2", "1.10.1", "1.10.0", "1.9.0", "1.8.1", "1.7.2", "1.7.0.1", "1.7.0", "1.6.8.rc1", "1.6.7.2", "1.6.7.rc4", "1.6.5", "1.6.4", "1.6.3", "1.6.2.1", "1.6.2.rc3", "1.6.2.rc1", "1.6.0.rc1", "1.5.10", "1.5.8", "1.5.7.rc2", "1.5.7.rc1", "1.5.6.rc3", "1.5.6.rc2", "1.5.6.rc1", "1.5.5", "1.5.5.rc1", "1.5.4", "1.5.4.rc2", "1.5.4.rc1", "1.5.3.rc4", "1.5.3.rc3", "1.5.1", "1.5.1.rc1", "1.5.0", "1.5.0.beta.4", "1.5.0.beta.1", "1.4.4.2", "1.4.4", "1.4.3.1", "1.4.2.1", "1.4.1", "1.3.2", "1.2.3", "1.2.1", "1.2.0", "1.1.1", "1.0.7", "1.0.0", "1.11.0.rc3", "1.10.4", "1.10.0.rc1", "1.9.1", "1.9.0.rc1", "1.8.5", "1.8.4", "1.8.3", "1.8.2", "1.8.0", "1.7.1", "1.6.8.1", "1.6.8", "1.6.8.rc3", "1.6.8.rc2", "1.6.7.1", "1.6.7", "1.6.7.rc3", "1.6.7.rc2", "1.6.6.4", "1.6.6.3", "1.6.6.2", "1.6.6.1", "1.6.4.1", "1.6.3.1", "1.6.3.rc3", "1.6.3.rc2", "1.6.3.rc1", "1.6.2", "1.6.2.rc2", "1.6.1", "1.6.0", "1.5.11", "1.5.9", "1.5.7", "1.5.7.rc3", "1.5.6", "1.5.5.rc3", "1.5.5.rc2", "1.5.4.rc3", "1.5.3", "1.5.3.rc6", "1.5.3.rc5", "1.5.3.rc2", "1.5.2", "1.5.0.beta.3", "1.5.0.beta.2", "1.4.7", "1.4.6", "1.4.5", "1.4.4.1", "1.4.3", "1.4.2", "1.4.0", "1.3.3", "1.3.1", "1.3.0", "1.2.2", "1.1.0", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.11.0.rc4", "1.11.0", "1.11.1", "1.11.2", "1.11.3", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.12.0.rc1", "1.12.0", "1.12.1", "1.12.2", "1.12.3", "1.12.4", "1.12.5", "1.13.0", "1.13.1", "1.13.2", "1.13.3", "1.13.4", "1.13.5", "1.13.6", "1.13.7", "1.13.8", "1.13.9", "1.13.10", "1.14.0.rc1", "1.14.0", "1.14.1", "1.14.2", "1.14.3", "1.14.4", "1.15.0", "1.15.1", "1.15.2", "1.14.5", "1.15.3", "1.15.4", "1.15.5", "1.16.0.rc1", "1.16.0", "1.16.1", "1.16.2", "1.16.3", "1.15.6", "1.16.4", "1.16.5", "1.16.6", "1.16.7", "1.16.8", "1.15.7", "1.17.0", "1.17.1", "1.17.2", "1.18.0.rc1", "1.18.0", "1.18.1", "1.18.2"]
Secure versions: [1.18.8]
Recommendation: Update to version 1.18.8.

Duplicate Advisory: Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459

Published date: 2024-05-14T22:30:45Z
Links:

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-r95h-9x8f-r3f7. This link is maintained to preserve external references.

Original Description

Summary

Nokogiri v1.16.5 upgrades its dependency libxml2 to 2.12.7 from 2.12.6.

libxml2 v2.12.7 addresses CVE-2024-34459:

Impact

There is no impact to Nokogiri users because the issue is present only in libxml2's xmllint tool which Nokogiri does not provide or expose.

Timeline

  • 2024-05-13 05:57 EDT, libxml2 2.12.7 release is announced
  • 2024-05-13 08:30 EDT, nokogiri maintainers begin triage
  • 2024-05-13 10:05 EDT, nokogiri v1.16.5 is released and this GHSA made public

Affected versions: ["1.11.0.rc2", "1.11.0.rc1", "1.10.10", "1.10.9", "1.10.8", "1.10.7", "1.10.6", "1.10.5", "1.10.3", "1.10.2", "1.10.1", "1.10.0", "1.9.0", "1.8.1", "1.7.2", "1.7.0.1", "1.7.0", "1.6.8.rc1", "1.6.7.2", "1.6.7.rc4", "1.6.5", "1.6.4", "1.6.3", "1.6.2.1", "1.6.2.rc3", "1.6.2.rc1", "1.6.0.rc1", "1.5.10", "1.5.8", "1.5.7.rc2", "1.5.7.rc1", "1.5.6.rc3", "1.5.6.rc2", "1.5.6.rc1", "1.5.5", "1.5.5.rc1", "1.5.4", "1.5.4.rc2", "1.5.4.rc1", "1.5.3.rc4", "1.5.3.rc3", "1.5.1", "1.5.1.rc1", "1.5.0", "1.5.0.beta.4", "1.5.0.beta.1", "1.4.4.2", "1.4.4", "1.4.3.1", "1.4.2.1", "1.4.1", "1.3.2", "1.2.3", "1.2.1", "1.2.0", "1.1.1", "1.0.7", "1.0.0", "1.11.0.rc3", "1.10.4", "1.10.0.rc1", "1.9.1", "1.9.0.rc1", "1.8.5", "1.8.4", "1.8.3", "1.8.2", "1.8.0", "1.7.1", "1.6.8.1", "1.6.8", "1.6.8.rc3", "1.6.8.rc2", "1.6.7.1", "1.6.7", "1.6.7.rc3", "1.6.7.rc2", "1.6.6.4", "1.6.6.3", "1.6.6.2", "1.6.6.1", "1.6.4.1", "1.6.3.1", "1.6.3.rc3", "1.6.3.rc2", "1.6.3.rc1", "1.6.2", "1.6.2.rc2", "1.6.1", "1.6.0", "1.5.11", "1.5.9", "1.5.7", "1.5.7.rc3", "1.5.6", "1.5.5.rc3", "1.5.5.rc2", "1.5.4.rc3", "1.5.3", "1.5.3.rc6", "1.5.3.rc5", "1.5.3.rc2", "1.5.2", "1.5.0.beta.3", "1.5.0.beta.2", "1.4.7", "1.4.6", "1.4.5", "1.4.4.1", "1.4.3", "1.4.2", "1.4.0", "1.3.3", "1.3.1", "1.3.0", "1.2.2", "1.1.0", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.11.0.rc4", "1.11.0", "1.11.1", "1.11.2", "1.11.3", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.12.0.rc1", "1.12.0", "1.12.1", "1.12.2", "1.12.3", "1.12.4", "1.12.5", "1.13.0", "1.13.1", "1.13.2", "1.13.3", "1.13.4", "1.13.5", "1.13.6", "1.13.7", "1.13.8", "1.13.9", "1.13.10", "1.14.0.rc1", "1.14.0", "1.14.1", "1.14.2", "1.14.3", "1.14.4", "1.15.0", "1.15.1", "1.15.2", "1.14.5", "1.15.3", "1.15.4", "1.15.5", "1.16.0.rc1", "1.16.0", "1.16.1", "1.16.2", "1.16.3", "1.15.6", "1.16.4", "1.15.7"]
Secure versions: [1.18.8]
Recommendation: Update to version 1.18.8.

Use-after-free in libxml2 via Nokogiri::XML::Reader

Published date: 2024-03-18T20:38:40Z
Links:

Summary

Nokogiri upgrades its dependency libxml2 as follows: - v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6 - v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4

libxml2 v2.11.7 and v2.12.5 address the following vulnerability:

CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604 - patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970

Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

JRuby users are not affected.

Severity

The Nokogiri maintainers have evaluated this as Moderate.

Impact

From the CVE description, this issue applies to the xmlTextReader module (which underlies Nokogiri::XML::Reader):

When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

Mitigation

Upgrade to Nokogiri ~> 1.15.6 or >= 1.16.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against patched external libxml2 libraries which will also address these same issues.

Affected versions: ["1.16.0", "1.16.1", "1.11.0.rc2", "1.11.0.rc1", "1.10.10", "1.10.9", "1.10.8", "1.10.7", "1.10.6", "1.10.5", "1.10.3", "1.10.2", "1.10.1", "1.10.0", "1.9.0", "1.8.1", "1.7.2", "1.7.0.1", "1.7.0", "1.6.8.rc1", "1.6.7.2", "1.6.7.rc4", "1.6.5", "1.6.4", "1.6.3", "1.6.2.1", "1.6.2.rc3", "1.6.2.rc1", "1.6.0.rc1", "1.5.10", "1.5.8", "1.5.7.rc2", "1.5.7.rc1", "1.5.6.rc3", "1.5.6.rc2", "1.5.6.rc1", "1.5.5", "1.5.5.rc1", "1.5.4", "1.5.4.rc2", "1.5.4.rc1", "1.5.3.rc4", "1.5.3.rc3", "1.5.1", "1.5.1.rc1", "1.5.0", "1.5.0.beta.4", "1.5.0.beta.1", "1.4.4.2", "1.4.4", "1.4.3.1", "1.4.2.1", "1.4.1", "1.3.2", "1.2.3", "1.2.1", "1.2.0", "1.1.1", "1.0.7", "1.0.0", "1.11.0.rc3", "1.10.4", "1.10.0.rc1", "1.9.1", "1.9.0.rc1", "1.8.5", "1.8.4", "1.8.3", "1.8.2", "1.8.0", "1.7.1", "1.6.8.1", "1.6.8", "1.6.8.rc3", "1.6.8.rc2", "1.6.7.1", "1.6.7", "1.6.7.rc3", "1.6.7.rc2", "1.6.6.4", "1.6.6.3", "1.6.6.2", "1.6.6.1", "1.6.4.1", "1.6.3.1", "1.6.3.rc3", "1.6.3.rc2", "1.6.3.rc1", "1.6.2", "1.6.2.rc2", "1.6.1", "1.6.0", "1.5.11", "1.5.9", "1.5.7", "1.5.7.rc3", "1.5.6", "1.5.5.rc3", "1.5.5.rc2", "1.5.4.rc3", "1.5.3", "1.5.3.rc6", "1.5.3.rc5", "1.5.3.rc2", "1.5.2", "1.5.0.beta.3", "1.5.0.beta.2", "1.4.7", "1.4.6", "1.4.5", "1.4.4.1", "1.4.3", "1.4.2", "1.4.0", "1.3.3", "1.3.1", "1.3.0", "1.2.2", "1.1.0", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.11.0.rc4", "1.11.0", "1.11.1", "1.11.2", "1.11.3", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.12.0.rc1", "1.12.0", "1.12.1", "1.12.2", "1.12.3", "1.12.4", "1.12.5", "1.13.0", "1.13.1", "1.13.2", "1.13.3", "1.13.4", "1.13.5", "1.13.6", "1.13.7", "1.13.8", "1.13.9", "1.13.10", "1.14.0.rc1", "1.14.0", "1.14.1", "1.14.2", "1.14.3", "1.14.4", "1.15.0", "1.15.1", "1.15.2", "1.14.5", "1.15.3", "1.15.4", "1.15.5"]
Secure versions: [1.18.8]
Recommendation: Update to version 1.18.8.

Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415

Published date: 2025-04-21
Links:

Summary

Nokogiri v1.18.8 upgrades its dependency libxml2 to v2.13.8.

libxml2 v2.13.8 addresses:

Impact

CVE-2025-32414: No impact

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.

There is no impact from this CVE for Nokogiri users.

CVE-2025-32415: Low impact

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.

In the upstream issue, further context is provided by the maintainer:

The bug affects validation against untrusted XML Schemas (.xsd) and validation of untrusted documents against trusted Schemas if they make use of xsd:keyref in combination with recursively defined types that have additional identity constraints.

MITRE has published a severity score of 2.9 LOW (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) for this CVE.

Affected versions: ["1.11.0.rc2", "1.11.0.rc1", "1.10.10", "1.10.9", "1.10.8", "1.10.7", "1.10.6", "1.10.5", "1.10.3", "1.10.2", "1.10.1", "1.10.0", "1.9.0", "1.8.1", "1.7.2", "1.7.0.1", "1.7.0", "1.6.8.rc1", "1.6.7.2", "1.6.7.rc4", "1.6.5", "1.6.4", "1.6.3", "1.6.2.1", "1.6.2.rc3", "1.6.2.rc1", "1.6.0.rc1", "1.5.10", "1.5.8", "1.5.7.rc2", "1.5.7.rc1", "1.5.6.rc3", "1.5.6.rc2", "1.5.6.rc1", "1.5.5", "1.5.5.rc1", "1.5.4", "1.5.4.rc2", "1.5.4.rc1", "1.5.3.rc4", "1.5.3.rc3", "1.5.1", "1.5.1.rc1", "1.5.0", "1.5.0.beta.4", "1.5.0.beta.1", "1.4.4.2", "1.4.4", "1.4.3.1", "1.4.2.1", "1.4.1", "1.3.2", "1.2.3", "1.2.1", "1.2.0", "1.1.1", "1.0.7", "1.0.0", "1.11.0.rc3", "1.10.4", "1.10.0.rc1", "1.9.1", "1.9.0.rc1", "1.8.5", "1.8.4", "1.8.3", "1.8.2", "1.8.0", "1.7.1", "1.6.8.1", "1.6.8", "1.6.8.rc3", "1.6.8.rc2", "1.6.7.1", "1.6.7", "1.6.7.rc3", "1.6.7.rc2", "1.6.6.4", "1.6.6.3", "1.6.6.2", "1.6.6.1", "1.6.4.1", "1.6.3.1", "1.6.3.rc3", "1.6.3.rc2", "1.6.3.rc1", "1.6.2", "1.6.2.rc2", "1.6.1", "1.6.0", "1.5.11", "1.5.9", "1.5.7", "1.5.7.rc3", "1.5.6", "1.5.5.rc3", "1.5.5.rc2", "1.5.4.rc3", "1.5.3", "1.5.3.rc6", "1.5.3.rc5", "1.5.3.rc2", "1.5.2", "1.5.0.beta.3", "1.5.0.beta.2", "1.4.7", "1.4.6", "1.4.5", "1.4.4.1", "1.4.3", "1.4.2", "1.4.0", "1.3.3", "1.3.1", "1.3.0", "1.2.2", "1.1.0", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.11.0.rc4", "1.11.0", "1.11.1", "1.11.2", "1.11.3", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.12.0.rc1", "1.12.0", "1.12.1", "1.12.2", "1.12.3", "1.12.4", "1.12.5", "1.13.0", "1.13.1", "1.13.2", "1.13.3", "1.13.4", "1.13.5", "1.13.6", "1.13.7", "1.13.8", "1.13.9", "1.13.10", "1.14.0.rc1", "1.14.0", "1.14.1", "1.14.2", "1.14.3", "1.14.4", "1.15.0", "1.15.1", "1.15.2", "1.14.5", "1.15.3", "1.15.4", "1.15.5", "1.16.0.rc1", "1.16.0", "1.16.1", "1.16.2", "1.16.3", "1.15.6", "1.16.4", "1.16.5", "1.16.6", "1.16.7", "1.16.8", "1.15.7", "1.17.0", "1.17.1", "1.17.2", "1.18.0.rc1", "1.18.0", "1.18.1", "1.18.2", "1.18.3", "1.18.4", "1.18.5", "1.18.6", "1.18.7"]
Secure versions: [1.18.8]
Recommendation: Update to version 1.18.8.

Nokogiri updates packaged libxslt to v1.1.43 to resolve multiple CVEs

Published date: 2025-03-14
CVSS V3: 7.8
Links:

Summary

Nokogiri v1.18.4 upgrades its dependency libxslt to v1.1.43.

libxslt v1.1.43 resolves:

  • CVE-2025-24855: Fix use-after-free of XPath context node
  • CVE-2024-55549: Fix UAF related to excluded namespaces

Impact

CVE-2025-24855

CVE-2024-55549

Affected versions: ["1.11.0.rc2", "1.11.0.rc1", "1.10.10", "1.10.9", "1.10.8", "1.10.7", "1.10.6", "1.10.5", "1.10.3", "1.10.2", "1.10.1", "1.10.0", "1.9.0", "1.8.1", "1.7.2", "1.7.0.1", "1.7.0", "1.6.8.rc1", "1.6.7.2", "1.6.7.rc4", "1.6.5", "1.6.4", "1.6.3", "1.6.2.1", "1.6.2.rc3", "1.6.2.rc1", "1.6.0.rc1", "1.5.10", "1.5.8", "1.5.7.rc2", "1.5.7.rc1", "1.5.6.rc3", "1.5.6.rc2", "1.5.6.rc1", "1.5.5", "1.5.5.rc1", "1.5.4", "1.5.4.rc2", "1.5.4.rc1", "1.5.3.rc4", "1.5.3.rc3", "1.5.1", "1.5.1.rc1", "1.5.0", "1.5.0.beta.4", "1.5.0.beta.1", "1.4.4.2", "1.4.4", "1.4.3.1", "1.4.2.1", "1.4.1", "1.3.2", "1.2.3", "1.2.1", "1.2.0", "1.1.1", "1.0.7", "1.0.0", "1.11.0.rc3", "1.10.4", "1.10.0.rc1", "1.9.1", "1.9.0.rc1", "1.8.5", "1.8.4", "1.8.3", "1.8.2", "1.8.0", "1.7.1", "1.6.8.1", "1.6.8", "1.6.8.rc3", "1.6.8.rc2", "1.6.7.1", "1.6.7", "1.6.7.rc3", "1.6.7.rc2", "1.6.6.4", "1.6.6.3", "1.6.6.2", "1.6.6.1", "1.6.4.1", "1.6.3.1", "1.6.3.rc3", "1.6.3.rc2", "1.6.3.rc1", "1.6.2", "1.6.2.rc2", "1.6.1", "1.6.0", "1.5.11", "1.5.9", "1.5.7", "1.5.7.rc3", "1.5.6", "1.5.5.rc3", "1.5.5.rc2", "1.5.4.rc3", "1.5.3", "1.5.3.rc6", "1.5.3.rc5", "1.5.3.rc2", "1.5.2", "1.5.0.beta.3", "1.5.0.beta.2", "1.4.7", "1.4.6", "1.4.5", "1.4.4.1", "1.4.3", "1.4.2", "1.4.0", "1.3.3", "1.3.1", "1.3.0", "1.2.2", "1.1.0", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.11.0.rc4", "1.11.0", "1.11.1", "1.11.2", "1.11.3", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.12.0.rc1", "1.12.0", "1.12.1", "1.12.2", "1.12.3", "1.12.4", "1.12.5", "1.13.0", "1.13.1", "1.13.2", "1.13.3", "1.13.4", "1.13.5", "1.13.6", "1.13.7", "1.13.8", "1.13.9", "1.13.10", "1.14.0.rc1", "1.14.0", "1.14.1", "1.14.2", "1.14.3", "1.14.4", "1.15.0", "1.15.1", "1.15.2", "1.14.5", "1.15.3", "1.15.4", "1.15.5", "1.16.0.rc1", "1.16.0", "1.16.1", "1.16.2", "1.16.3", "1.15.6", "1.16.4", "1.16.5", "1.16.6", "1.16.7", "1.16.8", "1.15.7", "1.17.0", "1.17.1", "1.17.2", "1.18.0.rc1", "1.18.0", "1.18.1", "1.18.2", "1.18.3"]
Secure versions: [1.18.8]
Recommendation: Update to version 1.18.8.

Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459

Published date: 2024-05-13
Links:

Summary

Nokogiri v1.16.5 upgrades its dependency libxml2 to 2.12.7 from 2.12.6.

libxml2 v2.12.7 addresses CVE-2024-34459:

Impact

There is no impact to Nokogiri users because the issue is present only in libxml2's xmllint tool which Nokogiri does not provide or expose.

Timeline

  • 2024-05-13 05:57 EDT, libxml2 2.12.7 release is announced
  • 2024-05-13 08:30 EDT, nokogiri maintainers begin triage
  • 2024-05-13 10:05 EDT, nokogiri v1.16.5 is released and this GHSA made public

Affected versions: ["1.11.0.rc2", "1.11.0.rc1", "1.10.10", "1.10.9", "1.10.8", "1.10.7", "1.10.6", "1.10.5", "1.10.3", "1.10.2", "1.10.1", "1.10.0", "1.9.0", "1.8.1", "1.7.2", "1.7.0.1", "1.7.0", "1.6.8.rc1", "1.6.7.2", "1.6.7.rc4", "1.6.5", "1.6.4", "1.6.3", "1.6.2.1", "1.6.2.rc3", "1.6.2.rc1", "1.6.0.rc1", "1.5.10", "1.5.8", "1.5.7.rc2", "1.5.7.rc1", "1.5.6.rc3", "1.5.6.rc2", "1.5.6.rc1", "1.5.5", "1.5.5.rc1", "1.5.4", "1.5.4.rc2", "1.5.4.rc1", "1.5.3.rc4", "1.5.3.rc3", "1.5.1", "1.5.1.rc1", "1.5.0", "1.5.0.beta.4", "1.5.0.beta.1", "1.4.4.2", "1.4.4", "1.4.3.1", "1.4.2.1", "1.4.1", "1.3.2", "1.2.3", "1.2.1", "1.2.0", "1.1.1", "1.0.7", "1.0.0", "1.11.0.rc3", "1.10.4", "1.10.0.rc1", "1.9.1", "1.9.0.rc1", "1.8.5", "1.8.4", "1.8.3", "1.8.2", "1.8.0", "1.7.1", "1.6.8.1", "1.6.8", "1.6.8.rc3", "1.6.8.rc2", "1.6.7.1", "1.6.7", "1.6.7.rc3", "1.6.7.rc2", "1.6.6.4", "1.6.6.3", "1.6.6.2", "1.6.6.1", "1.6.4.1", "1.6.3.1", "1.6.3.rc3", "1.6.3.rc2", "1.6.3.rc1", "1.6.2", "1.6.2.rc2", "1.6.1", "1.6.0", "1.5.11", "1.5.9", "1.5.7", "1.5.7.rc3", "1.5.6", "1.5.5.rc3", "1.5.5.rc2", "1.5.4.rc3", "1.5.3", "1.5.3.rc6", "1.5.3.rc5", "1.5.3.rc2", "1.5.2", "1.5.0.beta.3", "1.5.0.beta.2", "1.4.7", "1.4.6", "1.4.5", "1.4.4.1", "1.4.3", "1.4.2", "1.4.0", "1.3.3", "1.3.1", "1.3.0", "1.2.2", "1.1.0", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.11.0.rc4", "1.11.0", "1.11.1", "1.11.2", "1.11.3", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.12.0.rc1", "1.12.0", "1.12.1", "1.12.2", "1.12.3", "1.12.4", "1.12.5", "1.13.0", "1.13.1", "1.13.2", "1.13.3", "1.13.4", "1.13.5", "1.13.6", "1.13.7", "1.13.8", "1.13.9", "1.13.10", "1.14.0.rc1", "1.14.0", "1.14.1", "1.14.2", "1.14.3", "1.14.4", "1.15.0", "1.15.1", "1.15.2", "1.14.5", "1.15.3", "1.15.4", "1.15.5", "1.16.0.rc1", "1.16.0", "1.16.1", "1.16.2", "1.16.3", "1.15.6", "1.16.4", "1.15.7"]
Secure versions: [1.18.8]
Recommendation: Update to version 1.18.8.

Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171

Published date: 2025-02-18
Links:

Summary

Nokogiri v1.18.3 upgrades its dependency libxml2 to v2.13.6.

libxml2 v2.13.6 addresses:

Impact

CVE-2025-24928

Stack-buffer overflow is possible when reporting DTD validation errors if the input contains a long (~3kb) QName prefix.

CVE-2024-56171

Use-after-free is possible during validation against untrusted XML Schemas (.xsd) and, potentially, validation of untrusted documents against trusted Schemas if they make use of xsd:keyref in combination with recursively defined types that have additional identity constraints.

Affected versions: ["1.11.0.rc2", "1.11.0.rc1", "1.10.10", "1.10.9", "1.10.8", "1.10.7", "1.10.6", "1.10.5", "1.10.3", "1.10.2", "1.10.1", "1.10.0", "1.9.0", "1.8.1", "1.7.2", "1.7.0.1", "1.7.0", "1.6.8.rc1", "1.6.7.2", "1.6.7.rc4", "1.6.5", "1.6.4", "1.6.3", "1.6.2.1", "1.6.2.rc3", "1.6.2.rc1", "1.6.0.rc1", "1.5.10", "1.5.8", "1.5.7.rc2", "1.5.7.rc1", "1.5.6.rc3", "1.5.6.rc2", "1.5.6.rc1", "1.5.5", "1.5.5.rc1", "1.5.4", "1.5.4.rc2", "1.5.4.rc1", "1.5.3.rc4", "1.5.3.rc3", "1.5.1", "1.5.1.rc1", "1.5.0", "1.5.0.beta.4", "1.5.0.beta.1", "1.4.4.2", "1.4.4", "1.4.3.1", "1.4.2.1", "1.4.1", "1.3.2", "1.2.3", "1.2.1", "1.2.0", "1.1.1", "1.0.7", "1.0.0", "1.11.0.rc3", "1.10.4", "1.10.0.rc1", "1.9.1", "1.9.0.rc1", "1.8.5", "1.8.4", "1.8.3", "1.8.2", "1.8.0", "1.7.1", "1.6.8.1", "1.6.8", "1.6.8.rc3", "1.6.8.rc2", "1.6.7.1", "1.6.7", "1.6.7.rc3", "1.6.7.rc2", "1.6.6.4", "1.6.6.3", "1.6.6.2", "1.6.6.1", "1.6.4.1", "1.6.3.1", "1.6.3.rc3", "1.6.3.rc2", "1.6.3.rc1", "1.6.2", "1.6.2.rc2", "1.6.1", "1.6.0", "1.5.11", "1.5.9", "1.5.7", "1.5.7.rc3", "1.5.6", "1.5.5.rc3", "1.5.5.rc2", "1.5.4.rc3", "1.5.3", "1.5.3.rc6", "1.5.3.rc5", "1.5.3.rc2", "1.5.2", "1.5.0.beta.3", "1.5.0.beta.2", "1.4.7", "1.4.6", "1.4.5", "1.4.4.1", "1.4.3", "1.4.2", "1.4.0", "1.3.3", "1.3.1", "1.3.0", "1.2.2", "1.1.0", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.11.0.rc4", "1.11.0", "1.11.1", "1.11.2", "1.11.3", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.12.0.rc1", "1.12.0", "1.12.1", "1.12.2", "1.12.3", "1.12.4", "1.12.5", "1.13.0", "1.13.1", "1.13.2", "1.13.3", "1.13.4", "1.13.5", "1.13.6", "1.13.7", "1.13.8", "1.13.9", "1.13.10", "1.14.0.rc1", "1.14.0", "1.14.1", "1.14.2", "1.14.3", "1.14.4", "1.15.0", "1.15.1", "1.15.2", "1.14.5", "1.15.3", "1.15.4", "1.15.5", "1.16.0.rc1", "1.16.0", "1.16.1", "1.16.2", "1.16.3", "1.15.6", "1.16.4", "1.16.5", "1.16.6", "1.16.7", "1.16.8", "1.15.7", "1.17.0", "1.17.1", "1.17.2", "1.18.0.rc1", "1.18.0", "1.18.1", "1.18.2"]
Secure versions: [1.18.8]
Recommendation: Update to version 1.18.8.

188 Other Versions

Version License Security Released
1.6.7 MIT 72 2015-11-30 - 04:21 over 9 years
1.6.7.rc4 MIT 72 2015-11-22 - 22:56 over 9 years
1.6.7.rc3 MIT 73 2015-09-04 - 17:34 almost 10 years
1.6.7.rc2 MIT 73 2015-08-31 - 13:51 almost 10 years
1.6.6.4 MIT 72 2015-11-19 - 20:58 over 9 years
1.6.6.3 MIT 73 2015-11-17 - 00:02 over 9 years
1.6.6.2 MIT 73 2015-01-23 - 18:53 over 10 years
1.6.6.1 MIT 73 2015-01-22 - 18:42 over 10 years
1.6.5 MIT 73 2014-11-26 - 21:07 over 10 years
1.6.4.1 MIT 73 2014-11-07 - 03:03 over 10 years
1.6.4 MIT 73 2014-11-05 - 04:32 over 10 years
1.6.3.1 MIT 73 2014-07-22 - 01:35 almost 11 years
1.6.3 MIT 73 2014-07-20 - 18:57 almost 11 years
1.6.3.rc3 MIT 74 2014-06-21 - 20:31 about 11 years
1.6.3.rc2 MIT 74 2014-06-17 - 17:04 about 11 years
1.6.3.rc1 MIT 74 2014-05-22 - 19:23 about 11 years
1.6.2.1 MIT 73 2014-05-14 - 01:21 about 11 years
1.6.2 MIT 74 2014-05-12 - 22:31 about 11 years
1.6.2.rc3 MIT 73 2014-05-09 - 22:00 about 11 years
1.6.2.rc2 MIT 73 2014-04-10 - 17:15 about 11 years
1.6.2.rc1 MIT 73 2014-04-06 - 20:37 about 11 years
1.6.1 MIT 74 2013-12-15 - 01:54 over 11 years
1.6.0 UNKNOWN 78 2013-06-10 - 14:38 about 12 years
1.6.0.rc1 UNKNOWN 70 2013-04-23 - 17:32 about 12 years
1.5.11 MIT 68 2013-12-15 - 01:53 over 11 years
1.5.10 UNKNOWN 70 2013-06-07 - 21:16 about 12 years
1.5.9 UNKNOWN 70 2013-03-21 - 13:35 over 12 years
1.5.8 UNKNOWN 70 2013-03-19 - 19:56 over 12 years
1.5.7 UNKNOWN 70 2013-03-18 - 20:10 over 12 years
1.5.7.rc3 UNKNOWN 70 2013-03-14 - 12:50 over 12 years
1.5.7.rc2 UNKNOWN 70 2013-03-11 - 09:46 over 12 years
1.5.7.rc1 UNKNOWN 70 2013-02-22 - 18:36 over 12 years
1.5.6 UNKNOWN 70 2012-12-19 - 16:41 over 12 years
1.5.6.rc3 UNKNOWN 70 2012-11-27 - 00:36 over 12 years
1.5.6.rc2 UNKNOWN 70 2012-09-12 - 15:53 almost 13 years
1.5.6.rc1 UNKNOWN 70 2012-07-11 - 18:06 almost 13 years
1.5.5 UNKNOWN 70 2012-06-23 - 16:21 about 13 years
1.5.5.rc3 UNKNOWN 70 2012-06-22 - 15:22 about 13 years
1.5.5.rc2 UNKNOWN 70 2012-06-14 - 16:35 about 13 years
1.5.5.rc1 UNKNOWN 70 2012-06-12 - 14:04 about 13 years
1.5.4 UNKNOWN 70 2012-06-11 - 15:09 about 13 years
1.5.4.rc3 UNKNOWN 72 2012-06-08 - 18:58 about 13 years
1.5.4.rc2 UNKNOWN 72 2012-06-08 - 15:26 about 13 years
1.5.4.rc1 UNKNOWN 72 2012-06-07 - 20:34 about 13 years
1.5.3 UNKNOWN 72 2012-06-01 - 13:53 about 13 years
1.5.3.rc6 UNKNOWN 72 2012-05-30 - 15:25 about 13 years
1.5.3.rc5 UNKNOWN 72 2012-04-27 - 14:55 about 13 years
1.5.3.rc4 UNKNOWN 72 2012-04-27 - 04:11 about 13 years
1.5.3.rc3 UNKNOWN 72 2012-03-26 - 22:07 over 13 years
1.5.3.rc2 UNKNOWN 72 2012-03-22 - 15:29 over 13 years