Security
Security
A vulnerability has been discovered in Nokogiri, which can lead to a denial of service.
| Package | dev-ruby/nokogiri on all architectures |
|---|---|
| Affected versions | < 1.13.10 |
| Unaffected versions | >= 1.13.10 |
Nokogiri is an HTML, XML, SAX, and Reader parser.
A denial of service vulnerability has been discovered in Nokogiri. Please review the CVE identifier referenced below for details.
Nokogiri fails to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack.
Users may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected.
All Nokogiri users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-ruby/nokogiri-1.13.10"
Release date
August 07, 2024
Latest revision
August 07, 2024: 1
Severity
normal
Exploitable
local
Bugzilla entries