Skip to content

Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171

Low severity GitHub Reviewed Published Feb 18, 2025 in sparklemotion/nokogiri • Updated Mar 10, 2025

Package

bundler nokogiri (RubyGems)

Affected versions

< 1.18.3

Patched versions

1.18.3

Description

Summary

Nokogiri v1.18.3 upgrades its dependency libxml2 to v2.13.6.

libxml2 v2.13.6 addresses:

Impact

CVE-2025-24928

Stack-buffer overflow is possible when reporting DTD validation errors if the input contains a long (~3kb) QName prefix.

CVE-2024-56171

Use-after-free is possible during validation against untrusted XML Schemas (.xsd) and, potentially, validation of untrusted documents against trusted Schemas if they make use of xsd:keyref in combination with recursively defined types that have additional identity constraints.

References

@flavorjones flavorjones published to sparklemotion/nokogiri Feb 18, 2025
Published to the GitHub Advisory Database Feb 18, 2025
Reviewed Feb 18, 2025
Last updated Mar 10, 2025

Severity

Low

EPSS score

Weaknesses

Stack-based Buffer Overflow

A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). Learn more on MITRE.

Use After Free

Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. Learn more on MITRE.

Dependency on Vulnerable Third-Party Component

The product has a dependency on a third-party component that contains one or more known vulnerabilities. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-vvfq-8hwr-qm4m

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.