Duplicate Advisory: Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171

Published date: 2025-02-19T22:17:19Z

Links:

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-vvfq-8hwr-qm4m. This link is maintained to preserve external references.

Original Description

Summary

Nokogiri v1.18.3 upgrades its dependency libxml2 to v2.13.6.

libxml2 v2.13.6 addresses:

CVE-2025-24928
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847
CVE-2024-56171
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828

Impact

CVE-2025-24928

Stack-buffer overflow is possible when reporting DTD validation errors if the input contains a long (~3kb) QName prefix.

CVE-2024-56171

Use-after-free is possible during validation against untrusted XML Schemas (.xsd) and, potentially, validation of untrusted documents against trusted Schemas if they make use of xsd:keyref in combination with recursively defined types that have additional identity constraints.

Affected versions: ["1.11.0.rc2", "1.11.0.rc1", "1.10.10", "1.10.9", "1.10.8", "1.10.7", "1.10.6", "1.10.5", "1.10.3", "1.10.2", "1.10.1", "1.10.0", "1.9.0", "1.8.1", "1.7.2", "1.7.0.1", "1.7.0", "1.6.8.rc1", "1.6.7.2", "1.6.7.rc4", "1.6.5", "1.6.4", "1.6.3", "1.6.2.1", "1.6.2.rc3", "1.6.2.rc1", "1.6.0.rc1", "1.5.10", "1.5.8", "1.5.7.rc2", "1.5.7.rc1", "1.5.6.rc3", "1.5.6.rc2", "1.5.6.rc1", "1.5.5", "1.5.5.rc1", "1.5.4", "1.5.4.rc2", "1.5.4.rc1", "1.5.3.rc4", "1.5.3.rc3", "1.5.1", "1.5.1.rc1", "1.5.0", "1.5.0.beta.4", "1.5.0.beta.1", "1.4.4.2", "1.4.4", "1.4.3.1", "1.4.2.1", "1.4.1", "1.3.2", "1.2.3", "1.2.1", "1.2.0", "1.1.1", "1.0.7", "1.0.0", "1.11.0.rc3", "1.10.4", "1.10.0.rc1", "1.9.1", "1.9.0.rc1", "1.8.5", "1.8.4", "1.8.3", "1.8.2", "1.8.0", "1.7.1", "1.6.8.1", "1.6.8", "1.6.8.rc3", "1.6.8.rc2", "1.6.7.1", "1.6.7", "1.6.7.rc3", "1.6.7.rc2", "1.6.6.4", "1.6.6.3", "1.6.6.2", "1.6.6.1", "1.6.4.1", "1.6.3.1", "1.6.3.rc3", "1.6.3.rc2", "1.6.3.rc1", "1.6.2", "1.6.2.rc2", "1.6.1", "1.6.0", "1.5.11", "1.5.9", "1.5.7", "1.5.7.rc3", "1.5.6", "1.5.5.rc3", "1.5.5.rc2", "1.5.4.rc3", "1.5.3", "1.5.3.rc6", "1.5.3.rc5", "1.5.3.rc2", "1.5.2", "1.5.0.beta.3", "1.5.0.beta.2", "1.4.7", "1.4.6", "1.4.5", "1.4.4.1", "1.4.3", "1.4.2", "1.4.0", "1.3.3", "1.3.1", "1.3.0", "1.2.2", "1.1.0", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.11.0.rc4", "1.11.0", "1.11.1", "1.11.2", "1.11.3", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.12.0.rc1", "1.12.0", "1.12.1", "1.12.2", "1.12.3", "1.12.4", "1.12.5", "1.13.0", "1.13.1", "1.13.2", "1.13.3", "1.13.4", "1.13.5", "1.13.6", "1.13.7", "1.13.8", "1.13.9", "1.13.10", "1.14.0.rc1", "1.14.0", "1.14.1", "1.14.2", "1.14.3", "1.14.4", "1.15.0", "1.15.1", "1.15.2", "1.14.5", "1.15.3", "1.15.4", "1.15.5", "1.16.0.rc1", "1.16.0", "1.16.1", "1.16.2", "1.16.3", "1.15.6", "1.16.4", "1.16.5", "1.16.6", "1.16.7", "1.16.8", "1.15.7", "1.17.0", "1.17.1", "1.17.2", "1.18.0.rc1", "1.18.0", "1.18.1", "1.18.2"]

Secure versions: [1.18.8]

Recommendation: Update to version 1.18.8.

Duplicate Advisory: Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459

Published date: 2024-05-14T22:30:45Z

Links:

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-r95h-9x8f-r3f7. This link is maintained to preserve external references.

Original Description

Summary

Nokogiri v1.16.5 upgrades its dependency libxml2 to 2.12.7 from 2.12.6.

libxml2 v2.12.7 addresses CVE-2024-34459:

described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/720
patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac53

Impact

There is no impact to Nokogiri users because the issue is present only in libxml2's xmllint tool which Nokogiri does not provide or expose.

Timeline

2024-05-13 05:57 EDT, libxml2 2.12.7 release is announced
2024-05-13 08:30 EDT, nokogiri maintainers begin triage
2024-05-13 10:05 EDT, nokogiri v1.16.5 is released and this GHSA made public

Affected versions: ["1.11.0.rc2", "1.11.0.rc1", "1.10.10", "1.10.9", "1.10.8", "1.10.7", "1.10.6", "1.10.5", "1.10.3", "1.10.2", "1.10.1", "1.10.0", "1.9.0", "1.8.1", "1.7.2", "1.7.0.1", "1.7.0", "1.6.8.rc1", "1.6.7.2", "1.6.7.rc4", "1.6.5", "1.6.4", "1.6.3", "1.6.2.1", "1.6.2.rc3", "1.6.2.rc1", "1.6.0.rc1", "1.5.10", "1.5.8", "1.5.7.rc2", "1.5.7.rc1", "1.5.6.rc3", "1.5.6.rc2", "1.5.6.rc1", "1.5.5", "1.5.5.rc1", "1.5.4", "1.5.4.rc2", "1.5.4.rc1", "1.5.3.rc4", "1.5.3.rc3", "1.5.1", "1.5.1.rc1", "1.5.0", "1.5.0.beta.4", "1.5.0.beta.1", "1.4.4.2", "1.4.4", "1.4.3.1", "1.4.2.1", "1.4.1", "1.3.2", "1.2.3", "1.2.1", "1.2.0", "1.1.1", "1.0.7", "1.0.0", "1.11.0.rc3", "1.10.4", "1.10.0.rc1", "1.9.1", "1.9.0.rc1", "1.8.5", "1.8.4", "1.8.3", "1.8.2", "1.8.0", "1.7.1", "1.6.8.1", "1.6.8", "1.6.8.rc3", "1.6.8.rc2", "1.6.7.1", "1.6.7", "1.6.7.rc3", "1.6.7.rc2", "1.6.6.4", "1.6.6.3", "1.6.6.2", "1.6.6.1", "1.6.4.1", "1.6.3.1", "1.6.3.rc3", "1.6.3.rc2", "1.6.3.rc1", "1.6.2", "1.6.2.rc2", "1.6.1", "1.6.0", "1.5.11", "1.5.9", "1.5.7", "1.5.7.rc3", "1.5.6", "1.5.5.rc3", "1.5.5.rc2", "1.5.4.rc3", "1.5.3", "1.5.3.rc6", "1.5.3.rc5", "1.5.3.rc2", "1.5.2", "1.5.0.beta.3", "1.5.0.beta.2", "1.4.7", "1.4.6", "1.4.5", "1.4.4.1", "1.4.3", "1.4.2", "1.4.0", "1.3.3", "1.3.1", "1.3.0", "1.2.2", "1.1.0", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.11.0.rc4", "1.11.0", "1.11.1", "1.11.2", "1.11.3", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.12.0.rc1", "1.12.0", "1.12.1", "1.12.2", "1.12.3", "1.12.4", "1.12.5", "1.13.0", "1.13.1", "1.13.2", "1.13.3", "1.13.4", "1.13.5", "1.13.6", "1.13.7", "1.13.8", "1.13.9", "1.13.10", "1.14.0.rc1", "1.14.0", "1.14.1", "1.14.2", "1.14.3", "1.14.4", "1.15.0", "1.15.1", "1.15.2", "1.14.5", "1.15.3", "1.15.4", "1.15.5", "1.16.0.rc1", "1.16.0", "1.16.1", "1.16.2", "1.16.3", "1.15.6", "1.16.4", "1.15.7"]

Secure versions: [1.18.8]

Recommendation: Update to version 1.18.8.

Use-after-free in libxml2 via Nokogiri::XML::Reader

Published date: 2024-03-18T20:38:40Z

Links:

Summary

Nokogiri upgrades its dependency libxml2 as follows: - v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6 - v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4

libxml2 v2.11.7 and v2.12.5 address the following vulnerability:

CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604 - patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970

Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

JRuby users are not affected.

Severity

The Nokogiri maintainers have evaluated this as Moderate.

Impact

From the CVE description, this issue applies to the xmlTextReader module (which underlies Nokogiri::XML::Reader):

When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

Mitigation

Upgrade to Nokogiri ~> 1.15.6 or >= 1.16.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against patched external libxml2 libraries which will also address these same issues.

Affected versions: ["1.16.0", "1.16.1", "1.11.0.rc2", "1.11.0.rc1", "1.10.10", "1.10.9", "1.10.8", "1.10.7", "1.10.6", "1.10.5", "1.10.3", "1.10.2", "1.10.1", "1.10.0", "1.9.0", "1.8.1", "1.7.2", "1.7.0.1", "1.7.0", "1.6.8.rc1", "1.6.7.2", "1.6.7.rc4", "1.6.5", "1.6.4", "1.6.3", "1.6.2.1", "1.6.2.rc3", "1.6.2.rc1", "1.6.0.rc1", "1.5.10", "1.5.8", "1.5.7.rc2", "1.5.7.rc1", "1.5.6.rc3", "1.5.6.rc2", "1.5.6.rc1", "1.5.5", "1.5.5.rc1", "1.5.4", "1.5.4.rc2", "1.5.4.rc1", "1.5.3.rc4", "1.5.3.rc3", "1.5.1", "1.5.1.rc1", "1.5.0", "1.5.0.beta.4", "1.5.0.beta.1", "1.4.4.2", "1.4.4", "1.4.3.1", "1.4.2.1", "1.4.1", "1.3.2", "1.2.3", "1.2.1", "1.2.0", "1.1.1", "1.0.7", "1.0.0", "1.11.0.rc3", "1.10.4", "1.10.0.rc1", "1.9.1", "1.9.0.rc1", "1.8.5", "1.8.4", "1.8.3", "1.8.2", "1.8.0", "1.7.1", "1.6.8.1", "1.6.8", "1.6.8.rc3", "1.6.8.rc2", "1.6.7.1", "1.6.7", "1.6.7.rc3", "1.6.7.rc2", "1.6.6.4", "1.6.6.3", "1.6.6.2", "1.6.6.1", "1.6.4.1", "1.6.3.1", "1.6.3.rc3", "1.6.3.rc2", "1.6.3.rc1", "1.6.2", "1.6.2.rc2", "1.6.1", "1.6.0", "1.5.11", "1.5.9", "1.5.7", "1.5.7.rc3", "1.5.6", "1.5.5.rc3", "1.5.5.rc2", "1.5.4.rc3", "1.5.3", "1.5.3.rc6", "1.5.3.rc5", "1.5.3.rc2", "1.5.2", "1.5.0.beta.3", "1.5.0.beta.2", "1.4.7", "1.4.6", "1.4.5", "1.4.4.1", "1.4.3", "1.4.2", "1.4.0", "1.3.3", "1.3.1", "1.3.0", "1.2.2", "1.1.0", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.11.0.rc4", "1.11.0", "1.11.1", "1.11.2", "1.11.3", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.12.0.rc1", "1.12.0", "1.12.1", "1.12.2", "1.12.3", "1.12.4", "1.12.5", "1.13.0", "1.13.1", "1.13.2", "1.13.3", "1.13.4", "1.13.5", "1.13.6", "1.13.7", "1.13.8", "1.13.9", "1.13.10", "1.14.0.rc1", "1.14.0", "1.14.1", "1.14.2", "1.14.3", "1.14.4", "1.15.0", "1.15.1", "1.15.2", "1.14.5", "1.15.3", "1.15.4", "1.15.5"]

Secure versions: [1.18.8]

Recommendation: Update to version 1.18.8.

Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415

Published date: 2025-04-21

Links:

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-5w6v-399v-w3cc

Summary

Nokogiri v1.18.8 upgrades its dependency libxml2 to v2.13.8.

libxml2 v2.13.8 addresses:

CVE-2025-32414
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/889
CVE-2025-32415
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/890

Impact

CVE-2025-32414: No impact

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.

There is no impact from this CVE for Nokogiri users.

CVE-2025-32415: Low impact

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.

In the upstream issue, further context is provided by the maintainer:

The bug affects validation against untrusted XML Schemas (.xsd) and validation of untrusted documents against trusted Schemas if they make use of xsd:keyref in combination with recursively defined types that have additional identity constraints.

MITRE has published a severity score of 2.9 LOW (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) for this CVE.

Affected versions: ["1.11.0.rc2", "1.11.0.rc1", "1.10.10", "1.10.9", "1.10.8", "1.10.7", "1.10.6", "1.10.5", "1.10.3", "1.10.2", "1.10.1", "1.10.0", "1.9.0", "1.8.1", "1.7.2", "1.7.0.1", "1.7.0", "1.6.8.rc1", "1.6.7.2", "1.6.7.rc4", "1.6.5", "1.6.4", "1.6.3", "1.6.2.1", "1.6.2.rc3", "1.6.2.rc1", "1.6.0.rc1", "1.5.10", "1.5.8", "1.5.7.rc2", "1.5.7.rc1", "1.5.6.rc3", "1.5.6.rc2", "1.5.6.rc1", "1.5.5", "1.5.5.rc1", "1.5.4", "1.5.4.rc2", "1.5.4.rc1", "1.5.3.rc4", "1.5.3.rc3", "1.5.1", "1.5.1.rc1", "1.5.0", "1.5.0.beta.4", "1.5.0.beta.1", "1.4.4.2", "1.4.4", "1.4.3.1", "1.4.2.1", "1.4.1", "1.3.2", "1.2.3", "1.2.1", "1.2.0", "1.1.1", "1.0.7", "1.0.0", "1.11.0.rc3", "1.10.4", "1.10.0.rc1", "1.9.1", "1.9.0.rc1", "1.8.5", "1.8.4", "1.8.3", "1.8.2", "1.8.0", "1.7.1", "1.6.8.1", "1.6.8", "1.6.8.rc3", "1.6.8.rc2", "1.6.7.1", "1.6.7", "1.6.7.rc3", "1.6.7.rc2", "1.6.6.4", "1.6.6.3", "1.6.6.2", "1.6.6.1", "1.6.4.1", "1.6.3.1", "1.6.3.rc3", "1.6.3.rc2", "1.6.3.rc1", "1.6.2", "1.6.2.rc2", "1.6.1", "1.6.0", "1.5.11", "1.5.9", "1.5.7", "1.5.7.rc3", "1.5.6", "1.5.5.rc3", "1.5.5.rc2", "1.5.4.rc3", "1.5.3", "1.5.3.rc6", "1.5.3.rc5", "1.5.3.rc2", "1.5.2", "1.5.0.beta.3", "1.5.0.beta.2", "1.4.7", "1.4.6", "1.4.5", "1.4.4.1", "1.4.3", "1.4.2", "1.4.0", "1.3.3", "1.3.1", "1.3.0", "1.2.2", "1.1.0", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.11.0.rc4", "1.11.0", "1.11.1", "1.11.2", "1.11.3", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.12.0.rc1", "1.12.0", "1.12.1", "1.12.2", "1.12.3", "1.12.4", "1.12.5", "1.13.0", "1.13.1", "1.13.2", "1.13.3", "1.13.4", "1.13.5", "1.13.6", "1.13.7", "1.13.8", "1.13.9", "1.13.10", "1.14.0.rc1", "1.14.0", "1.14.1", "1.14.2", "1.14.3", "1.14.4", "1.15.0", "1.15.1", "1.15.2", "1.14.5", "1.15.3", "1.15.4", "1.15.5", "1.16.0.rc1", "1.16.0", "1.16.1", "1.16.2", "1.16.3", "1.15.6", "1.16.4", "1.16.5", "1.16.6", "1.16.7", "1.16.8", "1.15.7", "1.17.0", "1.17.1", "1.17.2", "1.18.0.rc1", "1.18.0", "1.18.1", "1.18.2", "1.18.3", "1.18.4", "1.18.5", "1.18.6", "1.18.7"]

Secure versions: [1.18.8]

Recommendation: Update to version 1.18.8.

Nokogiri updates packaged libxslt to v1.1.43 to resolve multiple CVEs

Published date: 2025-03-14

CVSS V3: 7.8

Links:

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-mrxw-mxhj-p664

Summary

Nokogiri v1.18.4 upgrades its dependency libxslt to v1.1.43.

libxslt v1.1.43 resolves:

CVE-2025-24855: Fix use-after-free of XPath context node
CVE-2024-55549: Fix UAF related to excluded namespaces

Impact

CVE-2025-24855

Use-after-free due to xsltEvalXPathStringNs leaking xpathCtxt->node
MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H
Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/128
NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2025-24855

CVE-2024-55549

Use-after-free related to excluded result prefixes
MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H
Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/127
NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2024-55549

Affected versions: ["1.11.0.rc2", "1.11.0.rc1", "1.10.10", "1.10.9", "1.10.8", "1.10.7", "1.10.6", "1.10.5", "1.10.3", "1.10.2", "1.10.1", "1.10.0", "1.9.0", "1.8.1", "1.7.2", "1.7.0.1", "1.7.0", "1.6.8.rc1", "1.6.7.2", "1.6.7.rc4", "1.6.5", "1.6.4", "1.6.3", "1.6.2.1", "1.6.2.rc3", "1.6.2.rc1", "1.6.0.rc1", "1.5.10", "1.5.8", "1.5.7.rc2", "1.5.7.rc1", "1.5.6.rc3", "1.5.6.rc2", "1.5.6.rc1", "1.5.5", "1.5.5.rc1", "1.5.4", "1.5.4.rc2", "1.5.4.rc1", "1.5.3.rc4", "1.5.3.rc3", "1.5.1", "1.5.1.rc1", "1.5.0", "1.5.0.beta.4", "1.5.0.beta.1", "1.4.4.2", "1.4.4", "1.4.3.1", "1.4.2.1", "1.4.1", "1.3.2", "1.2.3", "1.2.1", "1.2.0", "1.1.1", "1.0.7", "1.0.0", "1.11.0.rc3", "1.10.4", "1.10.0.rc1", "1.9.1", "1.9.0.rc1", "1.8.5", "1.8.4", "1.8.3", "1.8.2", "1.8.0", "1.7.1", "1.6.8.1", "1.6.8", "1.6.8.rc3", "1.6.8.rc2", "1.6.7.1", "1.6.7", "1.6.7.rc3", "1.6.7.rc2", "1.6.6.4", "1.6.6.3", "1.6.6.2", "1.6.6.1", "1.6.4.1", "1.6.3.1", "1.6.3.rc3", "1.6.3.rc2", "1.6.3.rc1", "1.6.2", "1.6.2.rc2", "1.6.1", "1.6.0", "1.5.11", "1.5.9", "1.5.7", "1.5.7.rc3", "1.5.6", "1.5.5.rc3", "1.5.5.rc2", "1.5.4.rc3", "1.5.3", "1.5.3.rc6", "1.5.3.rc5", "1.5.3.rc2", "1.5.2", "1.5.0.beta.3", "1.5.0.beta.2", "1.4.7", "1.4.6", "1.4.5", "1.4.4.1", "1.4.3", "1.4.2", "1.4.0", "1.3.3", "1.3.1", "1.3.0", "1.2.2", "1.1.0", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.11.0.rc4", "1.11.0", "1.11.1", "1.11.2", "1.11.3", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.12.0.rc1", "1.12.0", "1.12.1", "1.12.2", "1.12.3", "1.12.4", "1.12.5", "1.13.0", "1.13.1", "1.13.2", "1.13.3", "1.13.4", "1.13.5", "1.13.6", "1.13.7", "1.13.8", "1.13.9", "1.13.10", "1.14.0.rc1", "1.14.0", "1.14.1", "1.14.2", "1.14.3", "1.14.4", "1.15.0", "1.15.1", "1.15.2", "1.14.5", "1.15.3", "1.15.4", "1.15.5", "1.16.0.rc1", "1.16.0", "1.16.1", "1.16.2", "1.16.3", "1.15.6", "1.16.4", "1.16.5", "1.16.6", "1.16.7", "1.16.8", "1.15.7", "1.17.0", "1.17.1", "1.17.2", "1.18.0.rc1", "1.18.0", "1.18.1", "1.18.2", "1.18.3"]

Secure versions: [1.18.8]

Recommendation: Update to version 1.18.8.

Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459

Published date: 2024-05-13

Links:

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-r95h-9x8f-r3f7

Summary

Nokogiri v1.16.5 upgrades its dependency libxml2 to 2.12.7 from 2.12.6.

libxml2 v2.12.7 addresses CVE-2024-34459:

described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/720
patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac53

Impact

There is no impact to Nokogiri users because the issue is present only in libxml2's xmllint tool which Nokogiri does not provide or expose.

Timeline

2024-05-13 05:57 EDT, libxml2 2.12.7 release is announced
2024-05-13 08:30 EDT, nokogiri maintainers begin triage
2024-05-13 10:05 EDT, nokogiri v1.16.5 is released and this GHSA made public

Affected versions: ["1.11.0.rc2", "1.11.0.rc1", "1.10.10", "1.10.9", "1.10.8", "1.10.7", "1.10.6", "1.10.5", "1.10.3", "1.10.2", "1.10.1", "1.10.0", "1.9.0", "1.8.1", "1.7.2", "1.7.0.1", "1.7.0", "1.6.8.rc1", "1.6.7.2", "1.6.7.rc4", "1.6.5", "1.6.4", "1.6.3", "1.6.2.1", "1.6.2.rc3", "1.6.2.rc1", "1.6.0.rc1", "1.5.10", "1.5.8", "1.5.7.rc2", "1.5.7.rc1", "1.5.6.rc3", "1.5.6.rc2", "1.5.6.rc1", "1.5.5", "1.5.5.rc1", "1.5.4", "1.5.4.rc2", "1.5.4.rc1", "1.5.3.rc4", "1.5.3.rc3", "1.5.1", "1.5.1.rc1", "1.5.0", "1.5.0.beta.4", "1.5.0.beta.1", "1.4.4.2", "1.4.4", "1.4.3.1", "1.4.2.1", "1.4.1", "1.3.2", "1.2.3", "1.2.1", "1.2.0", "1.1.1", "1.0.7", "1.0.0", "1.11.0.rc3", "1.10.4", "1.10.0.rc1", "1.9.1", "1.9.0.rc1", "1.8.5", "1.8.4", "1.8.3", "1.8.2", "1.8.0", "1.7.1", "1.6.8.1", "1.6.8", "1.6.8.rc3", "1.6.8.rc2", "1.6.7.1", "1.6.7", "1.6.7.rc3", "1.6.7.rc2", "1.6.6.4", "1.6.6.3", "1.6.6.2", "1.6.6.1", "1.6.4.1", "1.6.3.1", "1.6.3.rc3", "1.6.3.rc2", "1.6.3.rc1", "1.6.2", "1.6.2.rc2", "1.6.1", "1.6.0", "1.5.11", "1.5.9", "1.5.7", "1.5.7.rc3", "1.5.6", "1.5.5.rc3", "1.5.5.rc2", "1.5.4.rc3", "1.5.3", "1.5.3.rc6", "1.5.3.rc5", "1.5.3.rc2", "1.5.2", "1.5.0.beta.3", "1.5.0.beta.2", "1.4.7", "1.4.6", "1.4.5", "1.4.4.1", "1.4.3", "1.4.2", "1.4.0", "1.3.3", "1.3.1", "1.3.0", "1.2.2", "1.1.0", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.11.0.rc4", "1.11.0", "1.11.1", "1.11.2", "1.11.3", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.12.0.rc1", "1.12.0", "1.12.1", "1.12.2", "1.12.3", "1.12.4", "1.12.5", "1.13.0", "1.13.1", "1.13.2", "1.13.3", "1.13.4", "1.13.5", "1.13.6", "1.13.7", "1.13.8", "1.13.9", "1.13.10", "1.14.0.rc1", "1.14.0", "1.14.1", "1.14.2", "1.14.3", "1.14.4", "1.15.0", "1.15.1", "1.15.2", "1.14.5", "1.15.3", "1.15.4", "1.15.5", "1.16.0.rc1", "1.16.0", "1.16.1", "1.16.2", "1.16.3", "1.15.6", "1.16.4", "1.15.7"]

Secure versions: [1.18.8]

Recommendation: Update to version 1.18.8.

Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171

Published date: 2025-02-18

Links:

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vvfq-8hwr-qm4m

Summary

Nokogiri v1.18.3 upgrades its dependency libxml2 to v2.13.6.

libxml2 v2.13.6 addresses:

CVE-2025-24928
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847
CVE-2024-56171
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828

Impact

CVE-2025-24928

Stack-buffer overflow is possible when reporting DTD validation errors if the input contains a long (~3kb) QName prefix.

CVE-2024-56171

Use-after-free is possible during validation against untrusted XML Schemas (.xsd) and, potentially, validation of untrusted documents against trusted Schemas if they make use of xsd:keyref in combination with recursively defined types that have additional identity constraints.

Affected versions: ["1.11.0.rc2", "1.11.0.rc1", "1.10.10", "1.10.9", "1.10.8", "1.10.7", "1.10.6", "1.10.5", "1.10.3", "1.10.2", "1.10.1", "1.10.0", "1.9.0", "1.8.1", "1.7.2", "1.7.0.1", "1.7.0", "1.6.8.rc1", "1.6.7.2", "1.6.7.rc4", "1.6.5", "1.6.4", "1.6.3", "1.6.2.1", "1.6.2.rc3", "1.6.2.rc1", "1.6.0.rc1", "1.5.10", "1.5.8", "1.5.7.rc2", "1.5.7.rc1", "1.5.6.rc3", "1.5.6.rc2", "1.5.6.rc1", "1.5.5", "1.5.5.rc1", "1.5.4", "1.5.4.rc2", "1.5.4.rc1", "1.5.3.rc4", "1.5.3.rc3", "1.5.1", "1.5.1.rc1", "1.5.0", "1.5.0.beta.4", "1.5.0.beta.1", "1.4.4.2", "1.4.4", "1.4.3.1", "1.4.2.1", "1.4.1", "1.3.2", "1.2.3", "1.2.1", "1.2.0", "1.1.1", "1.0.7", "1.0.0", "1.11.0.rc3", "1.10.4", "1.10.0.rc1", "1.9.1", "1.9.0.rc1", "1.8.5", "1.8.4", "1.8.3", "1.8.2", "1.8.0", "1.7.1", "1.6.8.1", "1.6.8", "1.6.8.rc3", "1.6.8.rc2", "1.6.7.1", "1.6.7", "1.6.7.rc3", "1.6.7.rc2", "1.6.6.4", "1.6.6.3", "1.6.6.2", "1.6.6.1", "1.6.4.1", "1.6.3.1", "1.6.3.rc3", "1.6.3.rc2", "1.6.3.rc1", "1.6.2", "1.6.2.rc2", "1.6.1", "1.6.0", "1.5.11", "1.5.9", "1.5.7", "1.5.7.rc3", "1.5.6", "1.5.5.rc3", "1.5.5.rc2", "1.5.4.rc3", "1.5.3", "1.5.3.rc6", "1.5.3.rc5", "1.5.3.rc2", "1.5.2", "1.5.0.beta.3", "1.5.0.beta.2", "1.4.7", "1.4.6", "1.4.5", "1.4.4.1", "1.4.3", "1.4.2", "1.4.0", "1.3.3", "1.3.1", "1.3.0", "1.2.2", "1.1.0", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.11.0.rc4", "1.11.0", "1.11.1", "1.11.2", "1.11.3", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.12.0.rc1", "1.12.0", "1.12.1", "1.12.2", "1.12.3", "1.12.4", "1.12.5", "1.13.0", "1.13.1", "1.13.2", "1.13.3", "1.13.4", "1.13.5", "1.13.6", "1.13.7", "1.13.8", "1.13.9", "1.13.10", "1.14.0.rc1", "1.14.0", "1.14.1", "1.14.2", "1.14.3", "1.14.4", "1.15.0", "1.15.1", "1.15.2", "1.14.5", "1.15.3", "1.15.4", "1.15.5", "1.16.0.rc1", "1.16.0", "1.16.1", "1.16.2", "1.16.3", "1.15.6", "1.16.4", "1.16.5", "1.16.6", "1.16.7", "1.16.8", "1.15.7", "1.17.0", "1.17.1", "1.17.2", "1.18.0.rc1", "1.18.0", "1.18.1", "1.18.2"]

Secure versions: [1.18.8]

Recommendation: Update to version 1.18.8.

Use-after-free in libxml2 via Nokogiri::XML::Reader

Published date: 2024-02-04

Links:

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j

Summary

Nokogiri upgrades its dependency libxml2 as follows: - v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6 - v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4

libxml2 v2.11.7 and v2.12.5 address the following vulnerability:

CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604 - patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970

Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

JRuby users are not affected.

Severity

The Nokogiri maintainers have evaluated this as Moderate.

Impact

From the CVE description, this issue applies to the xmlTextReader module (which underlies Nokogiri::XML::Reader):

When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

Mitigation

Upgrade to Nokogiri ~> 1.15.6 or >= 1.16.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against patched external libxml2 libraries which will also address these same issues.

Affected versions: ["1.11.0.rc2", "1.11.0.rc1", "1.10.10", "1.10.9", "1.10.8", "1.10.7", "1.10.6", "1.10.5", "1.10.3", "1.10.2", "1.10.1", "1.10.0", "1.9.0", "1.8.1", "1.7.2", "1.7.0.1", "1.7.0", "1.6.8.rc1", "1.6.7.2", "1.6.7.rc4", "1.6.5", "1.6.4", "1.6.3", "1.6.2.1", "1.6.2.rc3", "1.6.2.rc1", "1.6.0.rc1", "1.5.10", "1.5.8", "1.5.7.rc2", "1.5.7.rc1", "1.5.6.rc3", "1.5.6.rc2", "1.5.6.rc1", "1.5.5", "1.5.5.rc1", "1.5.4", "1.5.4.rc2", "1.5.4.rc1", "1.5.3.rc4", "1.5.3.rc3", "1.5.1", "1.5.1.rc1", "1.5.0", "1.5.0.beta.4", "1.5.0.beta.1", "1.4.4.2", "1.4.4", "1.4.3.1", "1.4.2.1", "1.4.1", "1.3.2", "1.2.3", "1.2.1", "1.2.0", "1.1.1", "1.0.7", "1.0.0", "1.11.0.rc3", "1.10.4", "1.10.0.rc1", "1.9.1", "1.9.0.rc1", "1.8.5", "1.8.4", "1.8.3", "1.8.2", "1.8.0", "1.7.1", "1.6.8.1", "1.6.8", "1.6.8.rc3", "1.6.8.rc2", "1.6.7.1", "1.6.7", "1.6.7.rc3", "1.6.7.rc2", "1.6.6.4", "1.6.6.3", "1.6.6.2", "1.6.6.1", "1.6.4.1", "1.6.3.1", "1.6.3.rc3", "1.6.3.rc2", "1.6.3.rc1", "1.6.2", "1.6.2.rc2", "1.6.1", "1.6.0", "1.5.11", "1.5.9", "1.5.7", "1.5.7.rc3", "1.5.6", "1.5.5.rc3", "1.5.5.rc2", "1.5.4.rc3", "1.5.3", "1.5.3.rc6", "1.5.3.rc5", "1.5.3.rc2", "1.5.2", "1.5.0.beta.3", "1.5.0.beta.2", "1.4.7", "1.4.6", "1.4.5", "1.4.4.1", "1.4.3", "1.4.2", "1.4.0", "1.3.3", "1.3.1", "1.3.0", "1.2.2", "1.1.0", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.11.0.rc4", "1.11.0", "1.11.1", "1.11.2", "1.11.3", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.12.0.rc1", "1.12.0", "1.12.1", "1.12.2", "1.12.3", "1.12.4", "1.12.5", "1.13.0", "1.13.1", "1.13.2", "1.13.3", "1.13.4", "1.13.5", "1.13.6", "1.13.7", "1.13.8", "1.13.9", "1.13.10", "1.14.0.rc1", "1.14.0", "1.14.1", "1.14.2", "1.14.3", "1.14.4", "1.14.5", "1.16.0.rc1", "1.16.0", "1.16.1"]

Secure versions: [1.18.8]

Recommendation: Update to version 1.18.8.

Ruby/nokogiri/1.16.1

8 Security Vulnerabilities

Duplicate Advisory

Original Description

Summary

Impact

CVE-2025-24928

CVE-2024-56171

Duplicate Advisory

Original Description

Summary

Impact

Timeline

Summary

Severity

Impact

Mitigation

Summary

Impact

CVE-2025-32414: No impact

CVE-2025-32415: Low impact

Summary

Impact

CVE-2025-24855

CVE-2024-55549

Summary

Impact

Timeline

Summary

Impact

CVE-2025-24928

CVE-2024-56171

Summary

Severity

Impact

Mitigation

188 Other Versions

Version	License	Security	Released
1.12.4	MIT	27	2021-08-29 - 21:18	almost 4 years
1.12.3	MIT	27	2021-08-10 - 19:32	almost 4 years
1.12.2	MIT	27	2021-08-04 - 15:03	almost 4 years
1.12.1	MIT	27	2021-08-03 - 15:11	almost 4 years
1.12.0	MIT	27	2021-08-02 - 17:34	almost 4 years
1.12.0.rc1	MIT	27	2021-07-09 - 20:00	almost 4 years
1.11.7	MIT	27	2021-06-03 - 00:31	about 4 years
1.11.6	MIT	27	2021-05-26 - 13:16	about 4 years
1.11.5	MIT	27	2021-05-20 - 03:08	about 4 years
1.11.4	MIT	27	2021-05-14 - 23:30	about 4 years
1.11.3	MIT	34	2021-04-07 - 20:33	about 4 years
1.11.2	MIT	34	2021-03-11 - 15:56	over 4 years
1.11.1	MIT	34	2021-01-06 - 05:30	over 4 years
1.11.0	MIT	34	2021-01-04 - 04:20	over 4 years
1.11.0.rc4	MIT	34	2020-12-29 - 16:44	over 4 years
1.11.0.rc3	MIT	35	2020-09-08 - 13:26	almost 5 years
1.11.0.rc2	MIT	35	2020-04-01 - 19:18	over 5 years
1.11.0.rc1	MIT	35	2020-02-03 - 13:54	over 5 years
1.10.10	MIT	36	2020-07-06 - 13:40	almost 5 years
1.10.9	MIT	36	2020-03-01 - 19:05	over 5 years
1.10.8	MIT	36	2020-02-10 - 19:44	over 5 years
1.10.7	MIT	38	2019-12-04 - 15:29	over 5 years
1.10.6	MIT	38	2019-12-04 - 00:44	over 5 years
1.10.5	MIT	38	2019-10-31 - 19:29	over 5 years
1.10.4	MIT	46	2019-08-11 - 19:25	almost 6 years
1.10.3	MIT	48	2019-04-22 - 17:10	about 6 years
1.10.2	MIT	50	2019-03-25 - 13:03	over 6 years
1.10.1	MIT	50	2019-01-13 - 06:30	over 6 years
1.10.0	MIT	50	2019-01-04 - 15:35	over 6 years
1.10.0.rc1	MIT	50	2019-01-03 - 15:05	over 6 years
1.9.1	MIT	50	2018-12-18 - 05:22	over 6 years
1.9.0	MIT	50	2018-12-17 - 15:21	over 6 years
1.9.0.rc1	MIT	50	2018-12-10 - 06:10	over 6 years
1.8.5	MIT	50	2018-10-05 - 01:14	over 6 years
1.8.4	MIT	52	2018-07-04 - 00:37	almost 7 years
1.8.3	MIT	52	2018-06-16 - 20:04	about 7 years
1.8.2	MIT	54	2018-01-29 - 13:16	over 7 years
1.8.1	MIT	58	2017-09-19 - 16:12	almost 8 years
1.8.0	MIT	62	2017-06-05 - 04:04	about 8 years
1.7.2	MIT	62	2017-05-09 - 21:29	about 8 years
1.7.1	MIT	64	2017-03-20 - 03:39	over 8 years
1.7.0.1	MIT	66	2017-01-04 - 05:42	over 8 years
1.7.0	MIT	66	2016-12-27 - 03:49	over 8 years
1.6.8.1	MIT	66	2016-10-03 - 04:46	over 8 years
1.6.8	MIT	66	2016-06-07 - 00:04	about 9 years
1.6.8.rc3	MIT	68	2016-02-17 - 06:33	over 9 years
1.6.8.rc2	MIT	68	2016-01-12 - 17:08	over 9 years
1.6.8.rc1	MIT	68	2015-12-17 - 07:28	over 9 years
1.6.7.2	MIT	68	2016-01-20 - 19:18	over 9 years
1.6.7.1	MIT	70	2015-12-17 - 05:08	over 9 years