{ "schema_version": "1.4.0", "id": "GHSA-vvfq-8hwr-qm4m", "modified": "2025-03-10T22:36:22Z", "published": "2025-02-18T22:36:03Z", "aliases": [], "summary": "Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171", "details": "## Summary\n\nNokogiri v1.18.3 upgrades its dependency libxml2 to [v2.13.6](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.6).\n\nlibxml2 v2.13.6 addresses:\n\n- CVE-2025-24928\n - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847\n- CVE-2024-56171\n - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828\n\n## Impact\n\n### CVE-2025-24928\n\nStack-buffer overflow is possible when reporting DTD validation errors if the input contains a long (~3kb) QName prefix.\n\n### CVE-2024-56171\n\nUse-after-free is possible during validation against untrusted XML Schemas (.xsd) and, potentially, validation of untrusted documents against trusted Schemas if they make use of `xsd:keyref` in combination with recursively defined types that have additional identity constraints.", "severity": [], "affected": [ { "package": { "ecosystem": "RubyGems", "name": "nokogiri" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.18.3" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vvfq-8hwr-qm4m" }, { "type": "WEB", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-vvfq-8hwr-qm4m.yml" }, { "type": "PACKAGE", "url": "https://github.com/sparklemotion/nokogiri" } ], "database_specific": { "cwe_ids": [ "CWE-121", "CWE-1395", "CWE-416" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2025-02-18T22:36:03Z", "nvd_published_at": null } }