Ruby/nokogiri/1.16.6

Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2, libgumbo, or xerces.

https://rubygems.org/gems/nokogiri
MIT

4 Security Vulnerabilities

Duplicate Advisory: Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171

Published date: 2025-02-19T22:17:19Z
Links:

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-vvfq-8hwr-qm4m. This link is maintained to preserve external references.

Original Description

Summary

Nokogiri v1.18.3 upgrades its dependency libxml2 to v2.13.6.

libxml2 v2.13.6 addresses:

Impact

CVE-2025-24928

Stack-buffer overflow is possible when reporting DTD validation errors if the input contains a long (~3kb) QName prefix.

CVE-2024-56171

Use-after-free is possible during validation against untrusted XML Schemas (.xsd) and, potentially, validation of untrusted documents against trusted Schemas if they make use of xsd:keyref in combination with recursively defined types that have additional identity constraints.

Affected versions: ["1.11.0.rc2", "1.11.0.rc1", "1.10.10", "1.10.9", "1.10.8", "1.10.7", "1.10.6", "1.10.5", "1.10.3", "1.10.2", "1.10.1", "1.10.0", "1.9.0", "1.8.1", "1.7.2", "1.7.0.1", "1.7.0", "1.6.8.rc1", "1.6.7.2", "1.6.7.rc4", "1.6.5", "1.6.4", "1.6.3", "1.6.2.1", "1.6.2.rc3", "1.6.2.rc1", "1.6.0.rc1", "1.5.10", "1.5.8", "1.5.7.rc2", "1.5.7.rc1", "1.5.6.rc3", "1.5.6.rc2", "1.5.6.rc1", "1.5.5", "1.5.5.rc1", "1.5.4", "1.5.4.rc2", "1.5.4.rc1", "1.5.3.rc4", "1.5.3.rc3", "1.5.1", "1.5.1.rc1", "1.5.0", "1.5.0.beta.4", "1.5.0.beta.1", "1.4.4.2", "1.4.4", "1.4.3.1", "1.4.2.1", "1.4.1", "1.3.2", "1.2.3", "1.2.1", "1.2.0", "1.1.1", "1.0.7", "1.0.0", "1.11.0.rc3", "1.10.4", "1.10.0.rc1", "1.9.1", "1.9.0.rc1", "1.8.5", "1.8.4", "1.8.3", "1.8.2", "1.8.0", "1.7.1", "1.6.8.1", "1.6.8", "1.6.8.rc3", "1.6.8.rc2", "1.6.7.1", "1.6.7", "1.6.7.rc3", "1.6.7.rc2", "1.6.6.4", "1.6.6.3", "1.6.6.2", "1.6.6.1", "1.6.4.1", "1.6.3.1", "1.6.3.rc3", "1.6.3.rc2", "1.6.3.rc1", "1.6.2", "1.6.2.rc2", "1.6.1", "1.6.0", "1.5.11", "1.5.9", "1.5.7", "1.5.7.rc3", "1.5.6", "1.5.5.rc3", "1.5.5.rc2", "1.5.4.rc3", "1.5.3", "1.5.3.rc6", "1.5.3.rc5", "1.5.3.rc2", "1.5.2", "1.5.0.beta.3", "1.5.0.beta.2", "1.4.7", "1.4.6", "1.4.5", "1.4.4.1", "1.4.3", "1.4.2", "1.4.0", "1.3.3", "1.3.1", "1.3.0", "1.2.2", "1.1.0", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.11.0.rc4", "1.11.0", "1.11.1", "1.11.2", "1.11.3", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.12.0.rc1", "1.12.0", "1.12.1", "1.12.2", "1.12.3", "1.12.4", "1.12.5", "1.13.0", "1.13.1", "1.13.2", "1.13.3", "1.13.4", "1.13.5", "1.13.6", "1.13.7", "1.13.8", "1.13.9", "1.13.10", "1.14.0.rc1", "1.14.0", "1.14.1", "1.14.2", "1.14.3", "1.14.4", "1.15.0", "1.15.1", "1.15.2", "1.14.5", "1.15.3", "1.15.4", "1.15.5", "1.16.0.rc1", "1.16.0", "1.16.1", "1.16.2", "1.16.3", "1.15.6", "1.16.4", "1.16.5", "1.16.6", "1.16.7", "1.16.8", "1.15.7", "1.17.0", "1.17.1", "1.17.2", "1.18.0.rc1", "1.18.0", "1.18.1", "1.18.2"]
Secure versions: [1.18.8]
Recommendation: Update to version 1.18.8.

Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415

Published date: 2025-04-21
Links:

Summary

Nokogiri v1.18.8 upgrades its dependency libxml2 to v2.13.8.

libxml2 v2.13.8 addresses:

Impact

CVE-2025-32414: No impact

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.

There is no impact from this CVE for Nokogiri users.

CVE-2025-32415: Low impact

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.

In the upstream issue, further context is provided by the maintainer:

The bug affects validation against untrusted XML Schemas (.xsd) and validation of untrusted documents against trusted Schemas if they make use of xsd:keyref in combination with recursively defined types that have additional identity constraints.

MITRE has published a severity score of 2.9 LOW (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) for this CVE.

Affected versions: ["1.11.0.rc2", "1.11.0.rc1", "1.10.10", "1.10.9", "1.10.8", "1.10.7", "1.10.6", "1.10.5", "1.10.3", "1.10.2", "1.10.1", "1.10.0", "1.9.0", "1.8.1", "1.7.2", "1.7.0.1", "1.7.0", "1.6.8.rc1", "1.6.7.2", "1.6.7.rc4", "1.6.5", "1.6.4", "1.6.3", "1.6.2.1", "1.6.2.rc3", "1.6.2.rc1", "1.6.0.rc1", "1.5.10", "1.5.8", "1.5.7.rc2", "1.5.7.rc1", "1.5.6.rc3", "1.5.6.rc2", "1.5.6.rc1", "1.5.5", "1.5.5.rc1", "1.5.4", "1.5.4.rc2", "1.5.4.rc1", "1.5.3.rc4", "1.5.3.rc3", "1.5.1", "1.5.1.rc1", "1.5.0", "1.5.0.beta.4", "1.5.0.beta.1", "1.4.4.2", "1.4.4", "1.4.3.1", "1.4.2.1", "1.4.1", "1.3.2", "1.2.3", "1.2.1", "1.2.0", "1.1.1", "1.0.7", "1.0.0", "1.11.0.rc3", "1.10.4", "1.10.0.rc1", "1.9.1", "1.9.0.rc1", "1.8.5", "1.8.4", "1.8.3", "1.8.2", "1.8.0", "1.7.1", "1.6.8.1", "1.6.8", "1.6.8.rc3", "1.6.8.rc2", "1.6.7.1", "1.6.7", "1.6.7.rc3", "1.6.7.rc2", "1.6.6.4", "1.6.6.3", "1.6.6.2", "1.6.6.1", "1.6.4.1", "1.6.3.1", "1.6.3.rc3", "1.6.3.rc2", "1.6.3.rc1", "1.6.2", "1.6.2.rc2", "1.6.1", "1.6.0", "1.5.11", "1.5.9", "1.5.7", "1.5.7.rc3", "1.5.6", "1.5.5.rc3", "1.5.5.rc2", "1.5.4.rc3", "1.5.3", "1.5.3.rc6", "1.5.3.rc5", "1.5.3.rc2", "1.5.2", "1.5.0.beta.3", "1.5.0.beta.2", "1.4.7", "1.4.6", "1.4.5", "1.4.4.1", "1.4.3", "1.4.2", "1.4.0", "1.3.3", "1.3.1", "1.3.0", "1.2.2", "1.1.0", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.11.0.rc4", "1.11.0", "1.11.1", "1.11.2", "1.11.3", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.12.0.rc1", "1.12.0", "1.12.1", "1.12.2", "1.12.3", "1.12.4", "1.12.5", "1.13.0", "1.13.1", "1.13.2", "1.13.3", "1.13.4", "1.13.5", "1.13.6", "1.13.7", "1.13.8", "1.13.9", "1.13.10", "1.14.0.rc1", "1.14.0", "1.14.1", "1.14.2", "1.14.3", "1.14.4", "1.15.0", "1.15.1", "1.15.2", "1.14.5", "1.15.3", "1.15.4", "1.15.5", "1.16.0.rc1", "1.16.0", "1.16.1", "1.16.2", "1.16.3", "1.15.6", "1.16.4", "1.16.5", "1.16.6", "1.16.7", "1.16.8", "1.15.7", "1.17.0", "1.17.1", "1.17.2", "1.18.0.rc1", "1.18.0", "1.18.1", "1.18.2", "1.18.3", "1.18.4", "1.18.5", "1.18.6", "1.18.7"]
Secure versions: [1.18.8]
Recommendation: Update to version 1.18.8.

Nokogiri updates packaged libxslt to v1.1.43 to resolve multiple CVEs

Published date: 2025-03-14
CVSS V3: 7.8
Links:

Summary

Nokogiri v1.18.4 upgrades its dependency libxslt to v1.1.43.

libxslt v1.1.43 resolves:

  • CVE-2025-24855: Fix use-after-free of XPath context node
  • CVE-2024-55549: Fix UAF related to excluded namespaces

Impact

CVE-2025-24855

CVE-2024-55549

Affected versions: ["1.11.0.rc2", "1.11.0.rc1", "1.10.10", "1.10.9", "1.10.8", "1.10.7", "1.10.6", "1.10.5", "1.10.3", "1.10.2", "1.10.1", "1.10.0", "1.9.0", "1.8.1", "1.7.2", "1.7.0.1", "1.7.0", "1.6.8.rc1", "1.6.7.2", "1.6.7.rc4", "1.6.5", "1.6.4", "1.6.3", "1.6.2.1", "1.6.2.rc3", "1.6.2.rc1", "1.6.0.rc1", "1.5.10", "1.5.8", "1.5.7.rc2", "1.5.7.rc1", "1.5.6.rc3", "1.5.6.rc2", "1.5.6.rc1", "1.5.5", "1.5.5.rc1", "1.5.4", "1.5.4.rc2", "1.5.4.rc1", "1.5.3.rc4", "1.5.3.rc3", "1.5.1", "1.5.1.rc1", "1.5.0", "1.5.0.beta.4", "1.5.0.beta.1", "1.4.4.2", "1.4.4", "1.4.3.1", "1.4.2.1", "1.4.1", "1.3.2", "1.2.3", "1.2.1", "1.2.0", "1.1.1", "1.0.7", "1.0.0", "1.11.0.rc3", "1.10.4", "1.10.0.rc1", "1.9.1", "1.9.0.rc1", "1.8.5", "1.8.4", "1.8.3", "1.8.2", "1.8.0", "1.7.1", "1.6.8.1", "1.6.8", "1.6.8.rc3", "1.6.8.rc2", "1.6.7.1", "1.6.7", "1.6.7.rc3", "1.6.7.rc2", "1.6.6.4", "1.6.6.3", "1.6.6.2", "1.6.6.1", "1.6.4.1", "1.6.3.1", "1.6.3.rc3", "1.6.3.rc2", "1.6.3.rc1", "1.6.2", "1.6.2.rc2", "1.6.1", "1.6.0", "1.5.11", "1.5.9", "1.5.7", "1.5.7.rc3", "1.5.6", "1.5.5.rc3", "1.5.5.rc2", "1.5.4.rc3", "1.5.3", "1.5.3.rc6", "1.5.3.rc5", "1.5.3.rc2", "1.5.2", "1.5.0.beta.3", "1.5.0.beta.2", "1.4.7", "1.4.6", "1.4.5", "1.4.4.1", "1.4.3", "1.4.2", "1.4.0", "1.3.3", "1.3.1", "1.3.0", "1.2.2", "1.1.0", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.11.0.rc4", "1.11.0", "1.11.1", "1.11.2", "1.11.3", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.12.0.rc1", "1.12.0", "1.12.1", "1.12.2", "1.12.3", "1.12.4", "1.12.5", "1.13.0", "1.13.1", "1.13.2", "1.13.3", "1.13.4", "1.13.5", "1.13.6", "1.13.7", "1.13.8", "1.13.9", "1.13.10", "1.14.0.rc1", "1.14.0", "1.14.1", "1.14.2", "1.14.3", "1.14.4", "1.15.0", "1.15.1", "1.15.2", "1.14.5", "1.15.3", "1.15.4", "1.15.5", "1.16.0.rc1", "1.16.0", "1.16.1", "1.16.2", "1.16.3", "1.15.6", "1.16.4", "1.16.5", "1.16.6", "1.16.7", "1.16.8", "1.15.7", "1.17.0", "1.17.1", "1.17.2", "1.18.0.rc1", "1.18.0", "1.18.1", "1.18.2", "1.18.3"]
Secure versions: [1.18.8]
Recommendation: Update to version 1.18.8.

Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171

Published date: 2025-02-18
Links:

Summary

Nokogiri v1.18.3 upgrades its dependency libxml2 to v2.13.6.

libxml2 v2.13.6 addresses:

Impact

CVE-2025-24928

Stack-buffer overflow is possible when reporting DTD validation errors if the input contains a long (~3kb) QName prefix.

CVE-2024-56171

Use-after-free is possible during validation against untrusted XML Schemas (.xsd) and, potentially, validation of untrusted documents against trusted Schemas if they make use of xsd:keyref in combination with recursively defined types that have additional identity constraints.

Affected versions: ["1.11.0.rc2", "1.11.0.rc1", "1.10.10", "1.10.9", "1.10.8", "1.10.7", "1.10.6", "1.10.5", "1.10.3", "1.10.2", "1.10.1", "1.10.0", "1.9.0", "1.8.1", "1.7.2", "1.7.0.1", "1.7.0", "1.6.8.rc1", "1.6.7.2", "1.6.7.rc4", "1.6.5", "1.6.4", "1.6.3", "1.6.2.1", "1.6.2.rc3", "1.6.2.rc1", "1.6.0.rc1", "1.5.10", "1.5.8", "1.5.7.rc2", "1.5.7.rc1", "1.5.6.rc3", "1.5.6.rc2", "1.5.6.rc1", "1.5.5", "1.5.5.rc1", "1.5.4", "1.5.4.rc2", "1.5.4.rc1", "1.5.3.rc4", "1.5.3.rc3", "1.5.1", "1.5.1.rc1", "1.5.0", "1.5.0.beta.4", "1.5.0.beta.1", "1.4.4.2", "1.4.4", "1.4.3.1", "1.4.2.1", "1.4.1", "1.3.2", "1.2.3", "1.2.1", "1.2.0", "1.1.1", "1.0.7", "1.0.0", "1.11.0.rc3", "1.10.4", "1.10.0.rc1", "1.9.1", "1.9.0.rc1", "1.8.5", "1.8.4", "1.8.3", "1.8.2", "1.8.0", "1.7.1", "1.6.8.1", "1.6.8", "1.6.8.rc3", "1.6.8.rc2", "1.6.7.1", "1.6.7", "1.6.7.rc3", "1.6.7.rc2", "1.6.6.4", "1.6.6.3", "1.6.6.2", "1.6.6.1", "1.6.4.1", "1.6.3.1", "1.6.3.rc3", "1.6.3.rc2", "1.6.3.rc1", "1.6.2", "1.6.2.rc2", "1.6.1", "1.6.0", "1.5.11", "1.5.9", "1.5.7", "1.5.7.rc3", "1.5.6", "1.5.5.rc3", "1.5.5.rc2", "1.5.4.rc3", "1.5.3", "1.5.3.rc6", "1.5.3.rc5", "1.5.3.rc2", "1.5.2", "1.5.0.beta.3", "1.5.0.beta.2", "1.4.7", "1.4.6", "1.4.5", "1.4.4.1", "1.4.3", "1.4.2", "1.4.0", "1.3.3", "1.3.1", "1.3.0", "1.2.2", "1.1.0", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.11.0.rc4", "1.11.0", "1.11.1", "1.11.2", "1.11.3", "1.11.4", "1.11.5", "1.11.6", "1.11.7", "1.12.0.rc1", "1.12.0", "1.12.1", "1.12.2", "1.12.3", "1.12.4", "1.12.5", "1.13.0", "1.13.1", "1.13.2", "1.13.3", "1.13.4", "1.13.5", "1.13.6", "1.13.7", "1.13.8", "1.13.9", "1.13.10", "1.14.0.rc1", "1.14.0", "1.14.1", "1.14.2", "1.14.3", "1.14.4", "1.15.0", "1.15.1", "1.15.2", "1.14.5", "1.15.3", "1.15.4", "1.15.5", "1.16.0.rc1", "1.16.0", "1.16.1", "1.16.2", "1.16.3", "1.15.6", "1.16.4", "1.16.5", "1.16.6", "1.16.7", "1.16.8", "1.15.7", "1.17.0", "1.17.1", "1.17.2", "1.18.0.rc1", "1.18.0", "1.18.1", "1.18.2"]
Secure versions: [1.18.8]
Recommendation: Update to version 1.18.8.

188 Other Versions

Version License Security Released
1.18.8 MIT 2025-04-21 - 19:13 2 months
1.18.7 MIT 1 2025-03-31 - 17:48 3 months
1.18.6 MIT 1 2025-03-24 - 19:36 3 months
1.18.5 MIT 1 2025-03-19 - 14:43 4 months
1.18.4 MIT 1 2025-03-14 - 15:42 4 months
1.18.3 MIT 2 2025-02-18 - 22:20 5 months
1.18.2 MIT 4 2025-01-19 - 20:31 6 months
1.18.1 MIT 4 2024-12-29 - 22:30 6 months
1.18.0 MIT 4 2024-12-25 - 16:23 6 months
1.18.0.rc1 MIT 4 2024-12-16 - 17:48 7 months
1.17.2 MIT 4 2024-12-12 - 21:22 7 months
1.17.1 MIT 4 2024-12-10 - 14:36 7 months
1.17.0 MIT 4 2024-12-08 - 20:39 7 months
1.16.8 MIT 4 2024-12-02 - 20:17 7 months
1.16.7 MIT 4 2024-07-27 - 19:52 11 months
1.16.6 MIT 4 2024-06-13 - 13:46 about 1 year
1.16.5 MIT 4 2024-05-13 - 14:01 about 1 year
1.16.4 MIT 6 2024-04-10 - 18:17 about 1 year
1.16.3 MIT 6 2024-03-15 - 21:21 over 1 year
1.16.2 MIT 6 2024-02-04 - 16:52 over 1 year
1.16.1 MIT 8 2024-02-03 - 16:27 over 1 year
1.16.0 MIT 8 2023-12-28 - 00:08 over 1 year
1.16.0.rc1 MIT 7 2023-12-13 - 22:00 over 1 year
1.15.7 MIT 6 2024-12-02 - 20:32 7 months
1.15.6 MIT 6 2024-03-16 - 13:14 over 1 year
1.15.5 MIT 7 2023-11-17 - 16:13 over 1 year
1.15.4 MIT 7 2023-08-11 - 19:25 almost 2 years
1.15.3 MIT 7 2023-07-05 - 14:34 almost 2 years
1.15.2 MIT 7 2023-05-24 - 13:31 about 2 years
1.15.1 MIT 7 2023-05-19 - 14:06 about 2 years
1.15.0 MIT 7 2023-05-15 - 19:57 about 2 years
1.14.5 MIT 8 2023-05-24 - 13:04 about 2 years
1.14.4 MIT 8 2023-05-11 - 18:12 about 2 years
1.14.3 MIT 8 2023-04-11 - 17:00 about 2 years
1.14.2 MIT 9 2023-02-13 - 17:41 over 2 years
1.14.1 MIT 9 2023-01-30 - 19:40 over 2 years
1.14.0 MIT 9 2023-01-12 - 21:52 over 2 years
1.14.0.rc1 MIT 9 2022-12-29 - 15:47 over 2 years
1.13.10 MIT 9 2022-12-08 - 02:47 over 2 years
1.13.9 MIT 11 2022-10-18 - 15:48 over 2 years
1.13.8 MIT 12 2022-07-23 - 15:50 almost 3 years
1.13.7 MIT 10 2022-07-12 - 14:56 almost 3 years
1.13.6 MIT 10 2022-05-08 - 14:34 about 3 years
1.13.5 MIT 12 2022-05-04 - 20:41 about 3 years
1.13.4 MIT 13 2022-04-11 - 20:44 about 3 years
1.13.3 MIT 22 2022-02-22 - 04:52 over 3 years
1.13.2 MIT 22 2022-02-21 - 18:52 over 3 years
1.13.1 MIT 25 2022-01-13 - 16:04 over 3 years
1.13.0 MIT 25 2022-01-06 - 20:53 over 3 years
1.12.5 MIT 25 2021-09-27 - 19:03 almost 4 years