7.5

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-gx8x-g87m-h5q6

EPSS Score

CWE

CWE-400

Published

4/11/2022

Updated

1/11/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-gx8x-g87m-h5q6

GHSA-gx8x-g87m-h5q6: Denial of Service (DoS) in Nokogiri on JRuby

Summary

Nokogiri v1.13.4 updates the vendored org.cyberneko.html library to 1.9.22.noko2 which addresses CVE-2022-24839. That CVE is rated 7.5 (High Severity).

See GHSA-9849-p7jc-9rmv for more information.

Please note that this advisory only applies to the JRuby implementation of Nokogiri < 1.13.4.

Mitigation

Upgrade to Nokogiri >= 1.13.4.

Impact

CVE-2022-24839 in nekohtml

Severity: High 7.5
Type: CWE-400 Uncontrolled Resource Consumption
Description: The fork of org.cyberneko.html used by Nokogiri (Rubygem) raises a java.lang.OutOfMemoryError exception when parsing ill-formed HTML markup.
See also: GHSA-9849-p7jc-9rmv

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-gx8x-g87m-h5q6

EPSS Score

CWE

CWE-400

Published

4/11/2022

Updated

1/11/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
nokogiri	rubygems	< 1.13.4	1.13.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper EOF handling in HTML processing instruction parsing. The commit a800fce shows the fix specifically modifies the scanPI method in HTMLScanner.java to check for EOF (c == -1) in addition to '>', preventing infinite loops. This matches the CWE-400 description of uncontrolled resource consumption through malformed HTML inputs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Summ*ry Noko*iri `v*.**.*` up**t*s t** v*n*or** `or*.*y**rn*ko.*tml` li*r*ry to `*.*.**.noko*` w*i** ***r*ss*s [*V*-****-*****](*ttps://*it*u*.*om/sp*rkl*motion/n*ko*tml/s**urity/**visori*s/**S*-****-p*j*-*rmv). T**t *V* is r*t** *.* (*i** S*v*ri

Reasoning

T** vuln*r**ility st*ms *rom improp*r *O* **n*lin* in *TML pro**ssin* instru*tion p*rsin*. T** *ommit `*******` s*ows t** *ix sp**i*i**lly mo*i*i*s t** `s**nPI` m*t*o* in `*TMLS**nn*r.j*v*` to ****k *or *O* (* == -*) in ***ition to '>', pr*v*ntin* in

7.5

Basic Information

Concerned about an active attack path?

GHSA-gx8x-g87m-h5q6: Denial of Service (DoS) in Nokogiri on JRuby

Summary

Mitigation

Impact

CVE-2022-24839 in nekohtml

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI