An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS14Yzl4LWpqNzctOXA5as4AA5Ek

Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062


Nokogiri v1.16.2 upgrades the version of its dependency libxml2 to v2.12.5.

libxml2 v2.12.5 addresses the following vulnerability:

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.16.2, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.


Upgrade to Nokogiri >= 1.16.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 >= 2.12.5 which will also address these same issues.


From the CVE description, this issue applies to the xmlTextReader module (which underlies Nokogiri::XML::Reader):

When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.


Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 25 days ago
Updated: 25 days ago

Identifiers: GHSA-xc9x-jj77-9p9j

Affected Packages

Versions: < 1.16.2
Fixed in: 1.16.2