CVE-2021-3518: Nokogiri Implements libxml2 version vulnerable to use-after-free
8.8
Basic Information
Technical Details
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
nokogiri | rubygems | < 1.11.4 | 1.11.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability CVE-2021-3518 is a use-after-free flaw within the libxml2 library, specifically in versions before 2.9.11. Nokogiri, a popular Ruby library for parsing XML and HTML, bundles libxml2
for its core parsing functionality. Affected versions of Nokogiri (< 1.11.4) included a vulnerable version of libxml2
.
The patch for this vulnerability in Nokogiri was not a change in Nokogiri's own Ruby or C extension code, but rather an update of the bundled libxml2
library to version 2.9.11. This update occurred in Nokogiri version 1.11.4, with commit c9c89f7598f9a18000b60490309898091f190a77
being a key commit that updated the libxml2
submodule.
Therefore, the 'vulnerable functions' from Nokogiri's perspective are its public API methods that developers use to parse XML/HTML documents or streams. When these Nokogiri methods are invoked with specially crafted input, they pass this input to the underlying libxml2
library. If Nokogiri is using a vulnerable version of libxml2
, the use-after-free condition within libxml2
can be triggered.
The identified functions are the primary entry points in the Nokogiri API for initiating parsing operations (DOM
, SAX
, Reader
, Push
). These are the functions that would appear in a Ruby application's stack trace when the application processes malicious input that triggers the libxml2
vulnerability. They 'process potentially malicious input' by forwarding it to the vulnerable component.