CVE-2022-23476 Information

Dec 09, 2022 cve

Description

Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri 1.13.8 and 1.13.9 fail to check the return value from xmlTextReaderExpand in the method Nokogiri::XML::Readerattribute_hash. This can lead to a null pointer exception when invalid markup is being parsed. For applications using XML::Reader to parse untrusted inputs this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri >= 1.13.10. Users may be able to search their code for calls to either XML::Readerattributes or XML::Readerattribute_hash to determine if they are affected.

Reference

https://github.com/sparklemotion/nokogiri/commit/9fe0761c47c0d4270d1a5220cfd25de080350d50 https://github.com/sparklemotion/nokogiri/commit/85410e38410f670cbbc8c5b00d07b843caee88ce https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qv4q-mr5r-qprj

Share on: