RubySec

Providing security resources for the Ruby community

CVE-2020-7595 (nokogiri): libxml2 2.9.10 has an infinite loop in a certain end-of-file situation

ADVISORIES

GEM

nokogiri

SEVERITY

CVSS v3: 7.5

CVSS v2: 5.0

PATCHED VERSIONS

  • >= 1.10.8

DESCRIPTION

Nokogiri has backported the patch for CVE-2020-7595 into its vendored version of libxml2, and released this as v1.10.8

CVE-2020-7595 has not yet been addressed in an upstream libxml2 release, and so Nokogiri versions <= v1.10.7 are vulnerable.