libxmljs@0.15.0 vulnerabilities

libxmljs is a libxml bindings for v8 javascript engine

Affected versions of this package are vulnerable to Type Confusion when parsing a specially crafted XML while invoking the namespaces() function, which invokes _wrap__xmlNode_nsDef_get() function on a grand-child of a node that refers to an entity. An attacker can cause a denial of service or execute arbitrary code by parsing a specially crafted XML document.

There is no fixed version for libxmljs.

libxmljs is a libxml bindings for v8 javascript engine

Affected versions of this package are vulnerable to Remote Code Execution (RCE) when parsing a specially crafted XML while invoking a function on the result of attrs() that was called on a parsed node. An attacker can cause denial of service, data leak, infinite loop, and execute arbitrary code on 32-bit systems with the XML_PARSE_HUGE flag enabled by submitting a malicious XML document.

There is no fixed version for libxmljs.

libxmljs is a libxml bindings for v8 javascript engine

Affected versions of this package are vulnerable to Denial of Service (DoS). When invoking the libxmljs.parseXml function with a non-buffer argument the V8 code will attempt invoking the .toString method of the argument. If the argument's toString value is not a Function object V8 will crash.

PoC:

  let libxmljs = require("libxmljs"); 
  let xml = {toString: 1 }; 
  libxmljs.parseXml(xml);

Upgrade libxmljs to version 0.19.8 or higher.

nokogiri is an HTML, XML, SAX, and Reader parser, with the ability to search documents via XPath or CSS3 selectors. Affected versions of this Gem are vulnerable to both Memory Exhaustion and Sensitive Information Exposure.

nokogiri is an HTML, XML, SAX, and Reader parser, with the ability to search documents via XPath or CSS3 selectors. Affected versions of this Gem are vulnerable to both Memory Exhaustion and Sensitive Information Exposure.