Skip to content

Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171

Low severity GitHub Reviewed Published Feb 18, 2025 in sparklemotion/nokogiri • Updated Mar 10, 2025

Package

bundler nokogiri (RubyGems)

Affected versions

< 1.18.3

Patched versions

1.18.3

Description

Summary

Nokogiri v1.18.3 upgrades its dependency libxml2 to v2.13.6.

libxml2 v2.13.6 addresses:

Impact

CVE-2025-24928

Stack-buffer overflow is possible when reporting DTD validation errors if the input contains a long (~3kb) QName prefix.

CVE-2024-56171

Use-after-free is possible during validation against untrusted XML Schemas (.xsd) and, potentially, validation of untrusted documents against trusted Schemas if they make use of xsd:keyref in combination with recursively defined types that have additional identity constraints.

References

@flavorjones flavorjones published to sparklemotion/nokogiri Feb 18, 2025
Published to the GitHub Advisory Database Feb 18, 2025
Reviewed Feb 18, 2025
Last updated Mar 10, 2025

Severity

Low

EPSS score

Weaknesses

Stack-based Buffer Overflow

A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). Learn more on MITRE.

Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory belongs to the code that operates on the new pointer. Learn more on MITRE.

Dependency on Vulnerable Third-Party Component

The product has a dependency on a third-party component that contains one or more known vulnerabilities. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-vvfq-8hwr-qm4m

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.