org.nokogiri:nekohtml vulnerable to Uncontrolled Resource Consumption
High severity
GitHub Reviewed
Published
Apr 11, 2022
in
sparklemotion/nekohtml
•
Updated Nov 11, 2023
Package
Affected versions
< 1.9.22.noko2
Patched versions
1.9.22.noko2
Description
Published by the National Vulnerability Database
Apr 11, 2022
Published to the GitHub Advisory Database
Jun 22, 2023
Reviewed
Jun 22, 2023
Last updated
Nov 11, 2023
Summary
The fork of
org.cyberneko.html
used by Nokogiri (Rubygem) raises ajava.lang.OutOfMemoryError
exception when parsing ill-formed HTML markup.Severity
The maintainers have evaluated this as High Severity 7.5 (CVSS3.1).
Mitigation
Upgrade to
>= 1.9.22.noko2
.Credit
This vulnerability was reported by 이형관 (windshock).
References
CWE-400 Uncontrolled Resource Consumption
Notes
The upstream library
org.cyberneko.html
is no longer maintained. Nokogiri uses its own fork of this library located at https://github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability.References