Headline
GHSA-vvfq-8hwr-qm4m: Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171
Summary
Nokogiri v1.18.3 upgrades its dependency libxml2 to v2.13.6.
libxml2 v2.13.6 addresses:
- CVE-2025-24928
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847
- CVE-2024-56171
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828
Impact
CVE-2025-24928
Stack-buffer overflow is possible when reporting DTD validation errors if the input contains a long (~3kb) QName prefix.
CVE-2024-56171
Use-after-free is possible during validation against untrusted XML Schemas (.xsd) and, potentially, validation of untrusted documents against trusted Schemas if they make use of xsd:keyref in combination with recursively defined types that have additional identity constraints.
Package
bundler nokogiri (RubyGems)
Affected versions
< 1.18.3
Patched versions
1.18.3
Description
Summary
Nokogiri v1.18.3 upgrades its dependency libxml2 to v2.13.6.
libxml2 v2.13.6 addresses:
- CVE-2025-24928
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847
- CVE-2024-56171
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828
Impact****CVE-2025-24928
Stack-buffer overflow is possible when reporting DTD validation errors if the input contains a long (~3kb) QName prefix.
CVE-2024-56171
Use-after-free is possible during validation against untrusted XML Schemas (.xsd) and, potentially, validation of untrusted documents against trusted Schemas if they make use of xsd:keyref in combination with recursively defined types that have additional identity constraints.
References
- GHSA-vvfq-8hwr-qm4m
flavorjones published to sparklemotion/nokogiri
Feb 18, 2025
Published to the GitHub Advisory Database
Feb 18, 2025
Reviewed
Feb 18, 2025
Last updated
Feb 18, 2025