CVSS v3.x: 7.5 (High)
- <= 1.13.7
- >= 1.13.10
1.13.8, 1.13.9 fails to check the return value from
xmlTextReaderExpand in the method
Nokogiri::XML::Reader#attribute_hash. This can lead to a null pointer exception when invalid markup is being parsed.
For applications using
XML::Reader to parse untrusted inputs, this may potentially be a vector for a denial of service attack.
Upgrade to Nokogiri
Users may be able to search their code for calls to either
XML::Reader#attribute_hash to determine if they are affected.
The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.1).
This vulnerability was responsibly reported by @davidwilemski.