RubySec

Providing security resources for the Ruby community

CVE-2022-24836 (nokogiri): Inefficient Regular Expression Complexity in Nokogiri

ADVISORIES

GEM

nokogiri

SEVERITY

CVSS v3.x: 7.5 (High)

PATCHED VERSIONS

  • >= 1.13.4

DESCRIPTION

Summary

Nokogiri < v1.13.4 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents.

Mitigation

Upgrade to Nokogiri >= 1.13.4.

RELATED