Inefficient Regular Expression Complexity in Nokogiri
CVE-2022-24836

7.5HIGH

Key Information:

Vendor: Sparklemotion
Status: Nokogiri
Vendor: CVE Published:; 11 April 2022

🔔 Create Sparklemotion Vulnerability Alert

What is CVE-2022-24836?

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri < v1.13.4 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri >= 1.13.4. There are no known workarounds for this issue.

Affected Version(s)

nokogiri < 1.13.4

References

https://github.com/sparklemotion/nokogiri/security/adviso...

https://github.com/sparklemotion/nokogiri/commit/e444525e...

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 11, 2022
Vulnerability Reserved
Feb 10, 2022

CVE-2022-24836 Data

JSON