Use After Free Affecting nokogiri Open this link in a new tab package, versions <1.13.2


0.0
high
  • Attack Complexity

    High

  • Confidentiality

    High

  • Integrity

    High

  • Availability

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-RUBY-NOKOGIRI-2413994

  • published

    23 Feb 2022

  • disclosed

    20 Feb 2022

  • credit

    Shinji Sato

How to fix?

Upgrade nokogiri to version 1.13.2 or higher.

Overview

nokogiri is a gem for parsing HTML, XML, SAX, and Reader.

Affected versions of this package are vulnerable to Use After Free via the ID and IDREF attributes, when using the xmlReader interface with validation or when a document is parsed with XML_PARSE_DTDVALID and without XML_PARSE_NOENT. This can lead to the value of ID attributes to not be normalized after potentially expanding entities in xmlRemoveID, which will cause later calls to xmlGetID to return a pointer to previously freed memory.