GHSA-5w6v-399v-w3cc

Source

https://github.com/advisories/GHSA-5w6v-399v-w3cc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-5w6v-399v-w3cc/GHSA-5w6v-399v-w3cc.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5w6v-399v-w3cc

Related

Published

2025-04-21T21:55:56Z

Modified

2025-04-21T22:04:45.823585Z

Summary

Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415

Details

Summary

Nokogiri v1.18.8 upgrades its dependency libxml2 to v2.13.8.

libxml2 v2.13.8 addresses:

CVE-2025-32414
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/889
CVE-2025-32415
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/890

Impact

CVE-2025-32414: No impact

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.

There is no impact from this CVE for Nokogiri users.

CVE-2025-32415: Low impact

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.

In the upstream issue, further context is provided by the maintainer:

The bug affects validation against untrusted XML Schemas (.xsd) and validation of untrusted documents against trusted Schemas if they make use of xsd:keyref in combination with recursively defined types that have additional identity constraints.

MITRE has published a severity score of 2.9 LOW (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) for this CVE.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-1395"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-21T21:55:56Z"
}

References

Affected packages

RubyGems / nokogiri

Package

Name: nokogiri
Purl: pkg:gem/nokogiri

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.18.8

Affected versions

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.1.0

1.1.1

1.2.0

1.2.1

1.2.2

1.2.3

1.3.0

1.3.1

1.3.2

1.3.3

1.4.0

1.4.1

1.4.2

1.4.2.1

1.4.3

1.4.3.1

1.4.4

1.4.4.1

1.4.4.2

1.4.5

1.4.6

1.4.7

1.5.0.beta.1

1.5.0.beta.2

1.5.0.beta.3

1.5.0.beta.4

1.5.0

1.5.1.rc1

1.5.1

1.5.2

1.5.3.rc2

1.5.3.rc3

1.5.3.rc4

1.5.3.rc5

1.5.3.rc6

1.5.3

1.5.4.rc1

1.5.4.rc2

1.5.4.rc3

1.5.4

1.5.5.rc1

1.5.5.rc2

1.5.5.rc3

1.5.5

1.5.6.rc1

1.5.6.rc2

1.5.6.rc3

1.5.6

1.5.7.rc1

1.5.7.rc2

1.5.7.rc3

1.5.7

1.5.8

1.5.9

1.5.10

1.5.11

1.6.0.rc1

1.6.0

1.6.1

1.6.2.rc1

1.6.2.rc2

1.6.2.rc3

1.6.2

1.6.2.1

1.6.3.rc1

1.6.3.rc2

1.6.3.rc3

1.6.3

1.6.3.1

1.6.4

1.6.4.1

1.6.5

1.6.6.1

1.6.6.2

1.6.6.3

1.6.6.4

1.6.7.rc2

1.6.7.rc3

1.6.7.rc4

1.6.7

1.6.7.1

1.6.7.2

1.6.8.rc1

1.6.8.rc2

1.6.8.rc3

1.6.8

1.6.8.1

1.7.0

1.7.0.1

1.7.1

1.7.2

1.8.0

1.8.1

1.8.2

1.8.3

1.8.4

1.8.5

1.9.0.rc1

1.9.0

1.9.1

1.10.0.rc1

1.10.0

1.10.1

1.10.2

1.10.3

1.10.4

1.10.5

1.10.6

1.10.7

1.10.8

1.10.9

1.10.10

1.11.0.rc1

1.11.0.rc2

1.11.0.rc3

1.11.0.rc4

1.11.0

1.11.1

1.11.2

1.11.3

1.11.4

1.11.5

1.11.6

1.11.7

1.12.0.rc1

1.12.0

1.12.1

1.12.2

1.12.3

1.12.4

1.12.5

1.13.0

1.13.1

1.13.2

1.13.3

1.13.4

1.13.5

1.13.6

1.13.7

1.13.8

1.13.9

1.13.10

1.14.0.rc1

1.14.0

1.14.1

1.14.2

1.14.3

1.14.4

1.14.5

1.15.0

1.15.1

1.15.2

1.15.3

1.15.4

1.15.5

1.15.6

1.15.7

1.16.0.rc1

1.16.0

1.16.1

1.16.2

1.16.3

1.16.4

1.16.5

1.16.6

1.16.7

1.16.8

1.17.0

1.17.1

1.17.2

1.18.0.rc1

1.18.0

1.18.1

1.18.2

1.18.3

1.18.4

1.18.5

1.18.6

1.18.7