CVSS v3.x: 7.5 (High)
- >= 1.13.4
Nokogiri v1.13.4 updates the vendored zlib from 1.2.11 to 1.2.12, which addresses CVE-2018-25032. That CVE is scored as CVSS 7.4 "High" on the NVD record as of 2022-04-05.
Please note that this advisory only applies to the CRuby implementation of
< 1.13.4, and only if the packaged version of
zlib is being used.
Please see this document
for a complete description of which platform gems vendor
zlib. If you’ve
overridden defaults at installation time to use system libraries instead of
packaged libraries, you should instead pay attention to your distro’s
Upgrade to Nokogiri
CVE-2018-25032 in zlib
- Severity: High
- Type: CWE-787 Out of bounds write
- Description: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.