Inefficient Regular Expression Complexity Affecting ruby-nokogiri package, versions <1.13.4-r0


Severity

Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
1.56% (87th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Inefficient Regular Expression Complexity vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-ALPINE321-RUBYNOKOGIRI-8489453
  • published6 Dec 2024
  • disclosed11 Apr 2022

Introduced: 11 Apr 2022

CVE-2022-24836  (opens in a new tab)
CWE-1333  (opens in a new tab)

How to fix?

Upgrade Alpine:3.21 ruby-nokogiri to version 1.13.4-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream ruby-nokogiri package and not the ruby-nokogiri package as distributed by Alpine. See How to fix? for Alpine:3.21 relevant fixed versions and status.

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri &lt; v1.13.4 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri &gt;= 1.13.4. There are no known workarounds for this issue.

CVSS Scores

version 3.1