-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
RubyRubyMiggo AIRoot Cause AnalysisThe vulnerability is a heap-based buffer overflow in the hashmap implementation used by Nokogiri's Gumbo parser. The advisory mentions the function hashmap_get_with_hash as being affected. While the provided patch does not show changes in hashmap.c, it modifies the functions in gumbo-parser/src/string_set.c that use the hashmap.
The commit message clarifies the issue: "Previously we were passing a character string of variable length, but always copying 8 bytes into the item. It's not really a problem if the length of the string is less than 8, but it's more serious if the length is longer than 8." This confirms a buffer overflow vulnerability.
The patch addresses this by changing how strings are stored in the hashmap. Instead of copying the string value directly (which caused the overflow for strings longer than 8 bytes), the patch modifies the code to store a pointer to the string. This is evident from the changes in gumbo_string_set_insert and gumbo_string_set_contains, where &str is now passed to hashmap_set and hashmap_get respectively. The helper functions string_compare and string_hash were also updated to correctly dereference the pointer to the string.
Therefore, the vulnerable functions are the ones in string_set.c that were modified by the patch. These functions are the entry points that, when called with a long string, would trigger the buffer overflow in the underlying hashmap implementation. A runtime profile during exploitation would show these functions in the call stack leading to the crash.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| nokogiri | rubygems | = 0 |
Ongoing coverage of React2Shell