CVE-2022-29181

HIGH
Published May 20, 20224y ago · Modified Jun 17, 20262w ago
8.2 CVSS 3.1
High
Find Similar
Published May 20, 2022 4y ago
Last Modified Jun 17, 2026 2w ago

Description

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a `String` by calling `#to_s` or equivalent.

CVSS Details

Base Score
8.2
Exploitability
3.9
Impact
4.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity None
Availability High

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-241
CWE-843

Affected Products 2

VendorProductVersionRange
nokogirinokogiri* <1.13.6
applemacos*≥13.0  –  <13.1

References 9

  • seclists.org http://seclists.org/fulldisclosure/2022/Dec/23
    Mailing ListThird Party Advisory
  • github.com https://github.com/sparklemotion/nokogiri/commit/83cc451c3f29df397caa890afc3b714eae6ab8f7
  • github.com https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267
    PatchThird Party Advisory
  • github.com https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.6
    Release NotesThird Party Advisory
  • github.com https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m
    Issue TrackingThird Party Advisory
  • security.gentoo.org https://security.gentoo.org/glsa/202208-29
    Third Party Advisory
  • securitylab.github.com https://securitylab.github.com/advisories/GHSL-2022-031_GHSL-2022-032_Nokogiri
  • securitylab.github.com https://securitylab.github.com/advisories/GHSL-2022-031_GHSL-2022-032_Nokogiri/
    ExploitThird Party Advisory
  • support.apple.com https://support.apple.com/kb/HT213532
    Third Party Advisory

Remediation

  • github.com https://github.com/sparklemotion/nokogiri/commit/db05ba9a1bd4b90aa6c76742cf6102a7c7297267
    PatchThird Party Advisory