Resource exhaustion in Sparklemotion Nokogiri
CVE-2022-24836
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised…
Vulnerability class: DoS (Denial of Service)
EPSS: 0.018 (83.3th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
Affected products
- Sparklemotion Nokogiri — versions < 1.13.4
Weakness classification (CWE)
Public proof-of-concept exploits
References
- github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8
- github.com/sparklemotion/nokogiri/commit/e444525ef1634b675cd1cf52d39f4320ef0aec…
- FEDORA-2022-9ed7641ce0 (vendor-advisory)
- FEDORA-2022-132c6d7c2e (vendor-advisory)
- FEDORA-2022-d231cb5e1f (vendor-advisory)
- [debian-lts-announce] 20220513 [SECURITY] [DLA 3003-1] ruby-nokogiri security update (mailing-list)
- GLSA-202208-29 (vendor-advisory)
- [debian-lts-announce] 20221012 [SECURITY] [DLA 3149-1] ruby-nokogiri security update (mailing-list)
- support.apple.com/kb/HT213532
- 20221220 APPLE-SA-2022-12-13-4 macOS Ventura 13.1 (mailing-list)
Frequently asked questions
- What is CVE-2022-24836?
- CVE-2022-24836 is a high-severity vulnerability in Sparklemotion Nokogiri, classified under Uncontrolled Resource Consumption. CVSS score: 7.5/10. Published 2022-04-11.
- How severe is CVE-2022-24836?
- High severity. CVSS v3 base score is 7.5 out of 10.
- Is CVE-2022-24836 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.