{ "schema_version": "1.4.0", "id": "GHSA-xc9x-jj77-9p9j", "modified": "2025-05-23T19:16:35Z", "published": "2024-02-05T20:22:56Z", "aliases": [], "summary": "Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062", "details": "## Summary\n\nNokogiri upgrades its dependency libxml2 as follows:\n- Nokogiri v1.15.6 upgrades libxml2 to [2.11.7](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.7) from 2.11.6\n- Nokogiri v1.16.2 upgrades libxml2 to [2.12.5](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.5) from 2.12.4\n\nlibxml2 v2.11.7 and v2.12.5 address the following vulnerability:\n\n- CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062\n - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604\n - patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970\n\nPlease note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the _packaged_ libraries are being used. If you've overridden defaults at installation time to use _system_ libraries instead of packaged libraries, you should instead pay attention to your distro's `libxml2` release announcements.\n\nJRuby users are not affected.\n\n## Mitigation\n\nUpgrade to Nokogiri `~> 1.15.6` or `>= 1.16.2`.\n\nUsers who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile\nand link Nokogiri against patched external libxml2 libraries which will also address these same\nissues.\n\n## Impact\n\nFrom the CVE description, this issue applies to the `xmlTextReader` module (which underlies `Nokogiri::XML::Reader`):\n\n> When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.\n\n## Timeline\n\n- 2024-02-04 10:35 EST - this GHSA is drafted without complete details about when the upstream issue was introduced; a request is made of libxml2 maintainers for more detailed information\n- 2024-02-04 10:48 EST - updated GHSA to reflect libxml2 maintainers' confirmation of affected versions\n- 2024-02-04 11:54 EST - v1.16.2 published, this GHSA made public\n- 2024-02-05 10:18 EST - updated with MITRE link to the CVE information, and updated \"Impact\" section\n- 2024-03-16 09:03 EDT - v1.15.6 published (see discussion at https://github.com/sparklemotion/nokogiri/discussions/3146), updated mitigation information\n- 2024-03-18 22:12 EDT - update \"affected products\" range with v1.15.6 information", "severity": [], "affected": [ { "package": { "ecosystem": "RubyGems", "name": "nokogiri" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.16.0" }, { "fixed": "1.16.2" } ] } ] }, { "package": { "ecosystem": "RubyGems", "name": "nokogiri" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.15.6" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25062" }, { "type": "WEB", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-xc9x-jj77-9p9j.yml" }, { "type": "PACKAGE", "url": "https://github.com/sparklemotion/nokogiri" }, { "type": "WEB", "url": "https://github.com/sparklemotion/nokogiri/discussions/3146" }, { "type": "WEB", "url": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970" }, { "type": "WEB", "url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/604" }, { "type": "WEB", "url": "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.5" } ], "database_specific": { "cwe_ids": [ "CWE-416" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-02-05T20:22:56Z", "nvd_published_at": null } }