N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-vcc3-rw6f-jv97

EPSS Score

CWE

CWE-416

Published

3/18/2024

Updated

3/18/2024

KEV Status

Technology

Ruby

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-vcc3-rw6f-jv97

GHSA-vcc3-rw6f-jv97: Use-after-free in libxml2 via Nokogiri::XML::Reader

Summary

Nokogiri upgrades its dependency libxml2 as follows:

v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6
v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4

libxml2 v2.11.7 and v2.12.5 address the following vulnerability:

CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062

described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970

Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

JRuby users are not affected.

Severity

The Nokogiri maintainers have evaluated this as Moderate.

Impact

From the CVE description, this issue applies to the xmlTextReader module (which underlies Nokogiri::XML::Reader):

When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

Mitigation

Upgrade to Nokogiri ~> 1.15.6 or >= 1.16.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against patched external libxml2 libraries which will also address these same issues.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-vcc3-rw6f-jv97

GHSA-vcc3-rw6f-jv97:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-vcc3-rw6f-jv97

EPSS Score

CWE

CWE-416

Published

3/18/2024

Updated

3/18/2024

KEV Status

Technology

Ruby

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
nokogiri	rubygems	< 1.15.6	1.15.6
nokogiri	rubygems	>= 1.16.0, < 1.16.2	1.16.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability arises in libxml2's XML Reader (xmlTextReader) when DTD validation and XInclude are enabled. The patch commit (92721970) modifies xmlTextReaderValidatePop in xmlreader.c to add a NULL check for valid->vstate before calling xmlValidatePopElement. This indicates that the missing check in xmlTextReaderValidatePop allowed a freed validity state to be passed to xmlValidatePopElement, causing a use-after-free. Both functions are directly involved: xmlTextReaderValidatePop for failing to validate the state, and xmlValidatePopElement for operating on an invalid pointer. The CVE description explicitly references xmlValidatePopElement, and the commit confirms the code path in xmlTextReader.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-vcc3-rw6f-jv97: Use-after-free in libxml2 via Nokogiri::XML::Reader

Summary

Severity

Impact

Mitigation

GHSA-vcc3-rw6f-jv97:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

N/A

N/A

GHSA-vcc3-rw6f-jv97: Use-after-free in libxml2 via Nokogiri::XML::Reader

Summary

Severity

Impact

Mitigation

Basic Information

Basic Information

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI