CVE-2022-23476: Unchecked return value from xmlTextReaderExpand
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.40849%
CWE
Published
12/8/2022
Updated
2/2/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| nokogiri | rubygems | >= 1.13.8, < 1.13.10 | 1.13.10 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability explicitly references Nokogiri::XML::Reader#attribute_hash as the affected method. The commit diff shows a NULL check was added after calling xmlTextReaderExpand in ext/nokogiri/xml_reader.c, confirming this was the missing safety check. The C function rb_xml_reader_attribute_hash implements this Ruby method, and the lack of NULL check on c_node directly matches the described vulnerability mechanism (CWE-476 via CWE-252).